diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch new file mode 100644 index 0000000..06906ff --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch @@ -0,0 +1,240 @@ +From bb5c2983be3b11c3cd1070cf1d3daca27cb700ee Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Thu, 19 Aug 2021 08:02:55 -0500 +Subject: [PATCH] Add a new rules RHEL-08-010001 and RHEL-07-020019 + +--- + .../agent_mfetpd_running/oval/shared.xml | 16 ++++++ + .../agent_mfetpd_running/rule.yml | 39 ++++++++++++++ + .../group.yml | 7 +++ + .../package_mcafeetp_installed/rule.yml | 51 +++++++++++++++++++ + products/rhel7/profiles/stig.profile | 2 + + products/rhel8/profiles/stig.profile | 4 ++ + shared/references/cce-redhat-avail.txt | 4 -- + .../data/profile_stability/rhel8/stig.profile | 2 + + .../profile_stability/rhel8/stig_gui.profile | 2 + + 9 files changed, 123 insertions(+), 4 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml + create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml + +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml +new file mode 100644 +index 00000000000..9900d8bd724 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml +@@ -0,0 +1,16 @@ ++ ++ ++ {{{ oval_metadata("Ensure that McAfee Endpoint Security for Linux (ENSL) is running.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^mfetpd.*$ ++ 0 ++ ++ +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml +new file mode 100644 +index 00000000000..32c934467da +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8 ++ ++title: 'Ensure McAfee Endpoint Security for Linux (ENSL) is running' ++ ++description: |- ++ Install McAfee Endpoint Security for Linux antivirus software ++ which is provided for DoD systems and uses signatures to search for the ++ presence of viruses on the filesystem. ++ ++rationale: |- ++ Virus scanning software can be used to detect if a system has been compromised by ++ computer viruses, as well as to limit their spread to other systems. ++ ++severity: high ++ ++identifiers: ++ cce@rhel7: CCE-86262-3 ++ cce@rhel8: CCE-86261-5 ++ ++references: ++ disa: CCI-001233 ++ nist: SI-2(2) ++ srg: SRG-OS-000191-GPOS-00080 ++ stigid@rhel7: RHEL-07-020019 ++ stigid@rhel8: RHEL-08-010001 ++ ++ocil_clause: 'virus scanning software is not running' ++ ++ocil: |- ++ To verify that McAfee Endpoint Security for Linux is ++ running, run the following command: ++
$ sudo ps -ef | grep -i mfetpd
++ ++warnings: ++ - general: |- ++ Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, ++ automated remediation is not available for this configuration check. +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml +new file mode 100644 +index 00000000000..f2e4e89851a +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml +@@ -0,0 +1,7 @@ ++documentation_complete: true ++ ++title: 'McAfee Endpoint Security for Linux (ENSL)' ++ ++description: |- ++ McAfee Endpoint Security for Linux (ENSL) is a suite of software applications ++ used to monitor, detect, and defend computer networks and systems. +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +new file mode 100644 +index 00000000000..16587792eff +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +@@ -0,0 +1,51 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8 ++ ++title: 'Install McAfee Endpoint Security for Linux (ENSL)' ++ ++description: |- ++ Install McAfee Endpoint Security for Linux antivirus software ++ which is provided for DoD systems and uses signatures to search for the ++ presence of viruses on the filesystem. ++ ++ {{{ describe_package_install(package="mcafeetp") }}} ++ ++rationale: |- ++ Virus scanning software can be used to detect if a system has been compromised by ++ computer viruses, as well as to limit their spread to other systems. ++ ++severity: high ++ ++identifiers: ++ cce@rhel7: CCE-86257-3 ++ cce@rhel8: CCE-86260-7 ++ ++references: ++ disa: CCI-001233 ++ nist: SI-2(2) ++ srg: SRG-OS-000191-GPOS-00080 ++ stigid@rhel7: RHEL-07-020019 ++ stigid@rhel8: RHEL-08-010001 ++ ++ocil_clause: 'the package is not installed' ++ ++ocil: '{{{ ocil_package(package="mcafeetp") }}}' ++ ++warnings: ++ - general: |- ++ Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, ++ automated remediation is not available for this configuration check. ++ ++platform: machine ++ ++template: ++ name: package_installed ++ vars: ++ pkgname: mcafeetp ++ backends: ++ bash: "off" ++ ansible: "off" ++ anaconda: "off" ++ puppet: "off" ++ blueprint: "off" +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index f5761c891f2..9ca13600057 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -316,3 +316,5 @@ selections: + - file_permissions_var_log_audit + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter ++ - package_mcafeetp_installed ++ - agent_mfetpd_running +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 9dc9360e899..36f384621ae 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -84,6 +84,10 @@ selections: + # RHEL-08-010000 + - installed_OS_is_vendor_supported + ++ # RHEL-08-010001 ++ - package_mcafeetp_installed ++ - agent_mfetpd_running ++ + # RHEL-08-010010 + - security_patches_up_to_date + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 3b24e19da06..08013e6de22 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -372,12 +372,8 @@ CCE-86253-2 + CCE-86254-0 + CCE-86255-7 + CCE-86256-5 +-CCE-86257-3 + CCE-86258-1 + CCE-86259-9 +-CCE-86260-7 +-CCE-86261-5 +-CCE-86262-3 + CCE-86263-1 + CCE-86264-9 + CCE-86265-6 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index e9ba0f0adbf..f3e6c4fa1a1 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -65,6 +65,7 @@ selections: + - accounts_user_interactive_home_directory_defined + - accounts_user_interactive_home_directory_exists + - aide_check_audit_tools ++- agent_mfetpd_running + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes +@@ -280,6 +281,7 @@ selections: + - package_gssproxy_removed + - package_iprutils_removed + - package_krb5-workstation_removed ++- package_mcafeetp_installed + - package_opensc_installed + - package_openssh-server_installed + - package_policycoreutils_installed +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index c8540f9392e..b5b60349a83 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -76,6 +76,7 @@ selections: + - accounts_user_interactive_home_directory_defined + - accounts_user_interactive_home_directory_exists + - aide_check_audit_tools ++- agent_mfetpd_running + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes +@@ -291,6 +292,7 @@ selections: + - package_gssproxy_removed + - package_iprutils_removed + - package_krb5-workstation_removed ++- package_mcafeetp_installed + - package_opensc_installed + - package_openssh-server_installed + - package_policycoreutils_installed diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch new file mode 100644 index 0000000..a43e17b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch @@ -0,0 +1,118 @@ +From 386f9787ceac9b0fc732bcd5fd5f7174254922b3 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Thu, 15 Jul 2021 14:33:44 -0500 +Subject: [PATCH] Update 'Configure Notification of Post-AIDE Scan Details' + +Added +- Ansible fix for this rule +- Configurable email for sending notification email for AIDE alerts +--- + .../aide_scan_notification/ansible/shared.yml | 28 +++++++++++++++++++ + .../aide_scan_notification/bash/shared.sh | 18 ++++++++---- + .../aide/aide_scan_notification/rule.yml | 2 ++ + .../var_aide_scan_notification_email.var | 16 +++++++++++ + 4 files changed, 58 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml +new file mode 100644 +index 00000000000..5c11fc1719e +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml +@@ -0,0 +1,28 @@ ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{% if product in ["sle12", "sle15"] %}} ++ {{% set aide_path = "/usr/bin/aide" %}} ++{{% else %}} ++ {{% set aide_path = "/usr/sbin/aide" %}} ++{{% endif %}} ++ ++- (xccdf-var var_aide_scan_notification_email) ++ ++- name: "Ensure AIDE is installed" ++ package: ++ name: "{{ item }}" ++ state: present ++ with_items: ++ - aide ++ ++- name: "{{{ rule_title }}}" ++ cron: ++ name: "run AIDE check" ++ minute: 05 ++ hour: 04 ++ weekday: 0 ++ user: root ++ job: '{{{aide_path}}} --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }}' +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh +index 2f129e568b2..3cb8b72a0bd 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh +@@ -1,6 +1,16 @@ + # platform = multi_platform_all + ++. /usr/share/scap-security-guide/remediation_functions ++ + {{{ bash_package_install("aide") }}} ++{{{ bash_instantiate_variables("var_aide_scan_notification_email") }}} ++{{% if product in ["sle12", "sle15"] %}} ++ {{% set aide_path = "/usr/bin/aide" %}} ++{{% else %}} ++ {{% set aide_path = "/usr/sbin/aide" %}} ++{{% endif %}} ++ ++ + + CRONTAB=/etc/crontab + CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' +@@ -14,11 +24,7 @@ if [ -f /var/spool/cron/root ]; then + VARSPOOL=/var/spool/cron/root + fi + +-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then +-{{% if product in ["sle12", "sle15"] %}} +- echo '0 5 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB +-{{% else %}} +- echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB +-{{% endif %}} ++if ! grep -qR '^.*{{{aide_path}}}\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then ++ echo "0 5 * * * root {{{ aide_path }}} --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB + fi + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +index 51dae72ee6d..cb35c5c642d 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +@@ -57,3 +57,5 @@ ocil: |- +
$ grep aide /etc/crontab
+ The output should return something similar to the following: +
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
++ The email address that the notifications are sent to can be changed by overriding ++
. +diff --git a/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var +new file mode 100644 +index 00000000000..75b9f5d2650 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: Integrity Scan Notification Email Address ++ ++description: |- ++ Specify the email address for designated personnel if baseline ++ configurations are changed in an unauthorized manner. ++ ++type: string ++ ++operator: equals ++ ++interactive: true ++ ++options: ++ default: root@localhost diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch new file mode 100644 index 0000000..c6dc193 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch @@ -0,0 +1,151 @@ +From 278f3b476291d69e45da4dcdfca5a308646224f2 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 19 Jul 2021 09:49:57 -0500 +Subject: [PATCH 1/2] Add more checks for bios_enable_execution_restrictions to + ensure we don't miss anything + +--- + .../oval/shared.xml | 18 ++++++++++++++++++ + .../rule.yml | 3 ++- + products/rhel8/profiles/stig.profile | 1 + + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 5 files changed, 23 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml +new file mode 100644 +index 00000000000..622a183f99f +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml +@@ -0,0 +1,18 @@ ++ ++ ++ {{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/cpuinfo ++ ^flags[\s]+:.*[\s]+nx[\s]+.*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +index 4ca003520ac..b037e374f5b 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +@@ -14,7 +14,7 @@ rationale: |- + Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will + allow users to turn the feature on or off at will. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-27099-1 +@@ -31,5 +31,6 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + nist: SC-39,CM-6(a) + nist-csf: PR.IP-1 ++ stig@rhel8: RHEL-08-010420 + + platform: machine +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 5a0a520ee0a..6372d13cfc9 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -260,6 +260,7 @@ selections: + - package_opensc_installed + + # RHEL-08-010420 ++ - bios_enable_execution_restrictions + + # RHEL-08-010421 + - grub2_page_poison_argument +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 4be3cf93c25..32f1a24a7a4 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -74,6 +74,7 @@ selections: + - auditd_log_format + - auditd_name_format + - banner_etc_issue ++- bios_enable_execution_restrictions + - chronyd_client_only + - chronyd_no_chronyc_network + - chronyd_or_ntpd_set_maxpoll +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 20b8a54861e..d6a27c67dc0 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -85,6 +85,7 @@ selections: + - auditd_log_format + - auditd_name_format + - banner_etc_issue ++- bios_enable_execution_restrictions + - chronyd_client_only + - chronyd_no_chronyc_network + - chronyd_or_ntpd_set_maxpoll + +From dac8111b4d89a31cbaa5648f876bd58575a93e86 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 19 Jul 2021 09:51:34 -0500 +Subject: [PATCH 2/2] Add oval check for bios_enable_execution_restrictions + +--- + .../oval/shared.xml | 24 ++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml +index 622a183f99f..7cc448f8cce 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml +@@ -1,8 +1,10 @@ + + + {{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}} +- ++ + ++ ++ + + + +@@ -10,9 +12,29 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ + + /proc/cpuinfo + ^flags[\s]+:.*[\s]+nx[\s]+.*$ + 1 + ++ ++ ++ /var/log/messages ++ ^.+protection: disabled.+ ++ 1 ++ ++ ++ ++ /proc/cmdline ++ .+noexec[0-9]*=off.+ ++ 1 ++ + diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch new file mode 100644 index 0000000..2f4e268 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch @@ -0,0 +1,47 @@ +From 4ac2a6db67e03e616b26d39fb0620d4656bac65b Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 14 Jul 2021 13:19:42 -0500 +Subject: [PATCH] Add RHEL-08-010590 STIG to existing rule + +--- + products/rhel8/profiles/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 2508008d511..fef1965fb1d 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -341,6 +341,7 @@ selections: + - mount_option_nodev_nonroot_local_partitions + + # RHEL-08-010590 ++ - mount_option_home_noexec + + # RHEL-08-010600 + - mount_option_nodev_removable_partitions +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 765487c6f16..843d8eb7d0a 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -156,6 +156,7 @@ selections: + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid ++- mount_option_home_noexec + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_nodev_remote_filesystems +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 9fd80aac727..6dd0f08b142 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -167,6 +167,7 @@ selections: + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid ++- mount_option_home_noexec + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions + - mount_option_nodev_remote_filesystems diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch new file mode 100644 index 0000000..1398a4c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch @@ -0,0 +1,153 @@ +From 6eeef4054d707b8b255e9fa600c4c7babffbf5f7 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 2 Aug 2021 08:37:04 -0500 +Subject: [PATCH] Add rule for RHEL-08-020090 + +--- + .../sssd/sssd_enable_certmap/rule.yml | 58 +++++++++++++++++++ + .../sssd_enable_certmap/tests/default.fail.sh | 4 ++ + .../tests/with_section.pass.sh | 7 +++ + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 7 files changed, 72 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml + create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh + create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh + +diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml +new file mode 100644 +index 0000000000..0614a2f4a0 +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml +@@ -0,0 +1,58 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Enable Certmap in SSSD' ++ ++description: |- ++ SSSD should be configured to verify the certificate of the user or group. To set this up ++ ensure that section like certmap/testing.test/rule_name is setup in ++ /etc/sssd/sssd.conf. For example ++
++   [certmap/testing.test/rule_name]
++   matchrule =<SAN>.*EDIPI@mil
++   maprule = (userCertificate;binary={cert!bin})
++   domains = testing.test
++   
++ ++rationale: |- ++ Without mapping the certificate used to authenticate to the user account, the ability to ++ determine the identity of the individual user or group will not be available for forensic ++ analysis. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-86060-1 ++ ++references: ++ disa: CCI-000187 ++ nist: IA-5 (2) (c) ++ stigid@rhel8: RHEL-08-020090 ++ ++warnings: ++ - general: |- ++ Automatic remediation of this control is not available, since all of the settings in ++ in the certmap need to be customized. ++ ++ocil_clause: 'Certmap is not configured in SSSD' ++ ++ocil: |- ++ To verify Certmap is enabled in SSSD, run the following command: ++
$ cat sudo cat /etc/sssd/sssd.conf
++ If configured properly, output should contain section like the following ++
++    [certmap/testing.test/rule_name]
++    matchrule =<SAN>.*EDIPI@mil
++    maprule = (userCertificate;binary={cert!bin})
++    domains = testing.test
++    
++ ++template: ++ name: lineinfile ++ vars: ++ path: '/etc/sssd/sssd.conf' ++ text: '^\[certmap\/.+\/.+\]$' ++ backends: ++ ansible: "off" ++ bash: "off" +diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh +new file mode 100644 +index 0000000000..1e31c0da19 +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /etc/sssd/sssd.conf ++sed -i "s/\[certmap.*//g" /etc/sssd/sssd.conf +diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh +new file mode 100644 +index 0000000000..911e095f5d +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++cat >> /etc/sssd/sssd.conf<< EOF ++[certmap/testing.test/rule_name] ++matchrule =.*EDIPI@mil ++maprule = (userCertificate;binary={cert!bin}) ++domains = testing.test ++EOF +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index f17a7b88b1..ec0a3b1753 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -503,6 +503,7 @@ selections: + # RHEL-08-020080 + + # RHEL-08-020090 ++ - sssd_enable_certmap + + # RHEL-08-020100 + - accounts_password_pam_retry +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 73d025484e..e80557f033 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -186,7 +186,6 @@ CCE-86056-9 + CCE-86057-7 + CCE-86058-5 + CCE-86059-3 +-CCE-86060-1 + CCE-86061-9 + CCE-86062-7 + CCE-86063-5 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 236e595604..bffa509b69 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -275,6 +275,7 @@ selections: + - sshd_set_keepalive_0 + - sshd_use_strong_rng + - sshd_x11_use_localhost ++- sssd_enable_certmap + - sssd_enable_smartcards + - sssd_offline_cred_expiration + - sudo_remove_no_authenticate +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 9973b5adef..c84ac75c7b 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -286,6 +286,7 @@ selections: + - sshd_set_keepalive_0 + - sshd_use_strong_rng + - sshd_x11_use_localhost ++- sssd_enable_certmap + - sssd_enable_smartcards + - sssd_offline_cred_expiration + - sudo_remove_no_authenticate diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch new file mode 100644 index 0000000..3a18e98 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch @@ -0,0 +1,194 @@ +From 2af7d6d8f86f80dbac088d115a50162cfc28c542 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Tue, 27 Jul 2021 07:49:50 -0500 +Subject: [PATCH] Add rule for RHEL-08-020300 + +--- + .../accounts_password_pam_dictcheck/rule.yml | 45 +++++++++++++++++++ + .../tests/disabled.fail.sh | 3 ++ + .../tests/enable.pass.sh | 3 ++ + .../tests/not_defined.fail.sh | 3 ++ + .../var_password_pam_dictcheck.var | 16 +++++++ + products/rhel8/profiles/stig.profile | 2 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 2 + + .../profile_stability/rhel8/stig_gui.profile | 2 + + 9 files changed, 76 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +new file mode 100644 +index 0000000000..2990150c0a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +@@ -0,0 +1,45 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' ++ ++description: |- ++ The pam_pwquality module's dictcheck check if passwords contains dictionary words. When ++ dictcheck is set to 1 passwords will be checked for dictionary words. ++ ++rationale: |- ++ Use of a complex password helps to increase the time and resources required to compromise the password. ++ Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at ++ guessing and brute-force attacks. ++

++ Password complexity is one factor of several that determines how long it takes to crack a password. The more ++ complex the password, the greater the number of possible combinations that need to be tested before the ++ password is compromised. ++

++ Passwords with dictionary words may be more vulnerable to password-guessing attacks. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-86233-4 ++ ++references: ++ disa: CCI-000366 ++ nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) ++ stigid@rhel8: RHEL-08-020300 ++ ++ocil_clause: 'dictcheck is not found or not equal to the required value' ++ ++ocil: |- ++ To check if dictionary words are disallowed run the following command: ++
$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
++ The dictcheck parameter should be equal to 1. The value should look like ++
dictcheck=1
++ ++ ++template: ++ name: accounts_password ++ vars: ++ variable: dictcheck ++ operation: equals +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh +new file mode 100644 +index 0000000000..cb84c6d968 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/disabled.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "dictcheck=0" > /etc/security/pwquality.conf +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh +new file mode 100644 +index 0000000000..ceb9f7ec44 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/enable.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "dictcheck=1" > /etc/security/pwquality.conf +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh +new file mode 100644 +index 0000000000..57e54b6623 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/tests/not_defined.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i s/dictcheck.+//g /etc/security/pwquality.conf +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var +new file mode 100644 +index 0000000000..26452c3a8e +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_dictcheck.var +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: dictcheck ++ ++description: |- ++ Prevent the use of dictionary words for passwords. ++ ++type: number ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ 1: 1 ++ default: 1 +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index bf410c2087..f17a7b88b1 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -45,6 +45,7 @@ selections: + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 ++ - var_password_pam_dictcheck=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 +@@ -567,6 +568,7 @@ selections: + - sssd_offline_cred_expiration + + # RHEL-08-020300 ++ - accounts_password_pam_dictcheck + + # RHEL-08-020310 + - accounts_logon_fail_delay +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 0b794d5c2a..dae4495b2d 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -362,7 +362,6 @@ CCE-86229-2 + CCE-86230-0 + CCE-86231-8 + CCE-86232-6 +-CCE-86233-4 + CCE-86234-2 + CCE-86235-9 + CCE-86236-7 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index ddfa13e731..236e595604 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -35,6 +35,7 @@ selections: + - accounts_password_all_shadowed_sha512 + - accounts_password_minlen_login_defs + - accounts_password_pam_dcredit ++- accounts_password_pam_dictcheck + - accounts_password_pam_difok + - accounts_password_pam_lcredit + - accounts_password_pam_maxclassrepeat +@@ -332,6 +333,7 @@ selections: + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 ++- var_password_pam_dictcheck=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 017ab8c0e3..9973b5adef 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -46,6 +46,7 @@ selections: + - accounts_password_all_shadowed_sha512 + - accounts_password_minlen_login_defs + - accounts_password_pam_dcredit ++- accounts_password_pam_dictcheck + - accounts_password_pam_difok + - accounts_password_pam_lcredit + - accounts_password_pam_maxclassrepeat +@@ -342,6 +343,7 @@ selections: + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 ++- var_password_pam_dictcheck=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch new file mode 100644 index 0000000..210976a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch @@ -0,0 +1,220 @@ +From d6f7334d642fb311d32d7a171c460cd05e6625b8 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Fri, 6 Aug 2021 10:48:46 -0500 +Subject: [PATCH] Add rule for RHEL-08-020320 + +--- + .../ansible/shared.yml | 0 + .../bash/shared.sh | 2 +- + .../oval/shared.xml | 2 +- + .../accounts_authorized_local_users/rule.yml | 12 +++++++++--- + .../tests/bad_user.fail.sh | 2 ++ + .../tests/default.pass.sh | 16 ++++++++++++++++ + ...var_accounts_authorized_local_users_regex.var | 1 + + products/rhel8/profiles/stig.profile | 3 ++- + shared/references/cce-redhat-avail.txt | 1 - + tests/data/profile_stability/rhel8/stig.profile | 2 ++ + .../profile_stability/rhel8/stig_gui.profile | 2 ++ + 11 files changed, 36 insertions(+), 7 deletions(-) + rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/ansible/shared.yml (100%) + rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/bash/shared.sh (95%) + rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/oval/shared.xml (98%) + rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/rule.yml (88%) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh + rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/var_accounts_authorized_local_users_regex.var (81%) + +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml +similarity index 100% +rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml +rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh +similarity index 95% +rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh +rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh +index c342acf36d1..fedb02d84ce 100644 +--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh +@@ -10,7 +10,7 @@ default_os_user="root" + for username in $( sed 's/:.*//' /etc/passwd ) ; do + if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]]; + then +- userdel $username ; ++ userdel $username ; + fi + done + +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml +similarity index 98% +rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml +rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml +index 4e42081d0dc..c56799ded20 100644 +--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml +@@ -32,6 +32,6 @@ + var_ref="var_accounts_authorized_local_users_regex"> + + +- + +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +similarity index 88% +rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml +rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +index ddbda30afe6..e2311f6a5c3 100644 +--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,sle12,sle15 ++prodtype: ol7,sle12,sle15,fedora,rhel8 + + title: 'Only Authorized Local User Accounts Exist on Operating System' + +@@ -26,11 +26,10 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-85987-6 + cce@sle12: CCE-83195-8 + cce@sle15: CCE-85561-9 + +-severity: medium +- + references: + disa: CCI-000366 + nist@sle12: CM-6(b),CM-6.1(iv) +@@ -41,6 +40,13 @@ references: + + ocil_clause: 'there are unauthorized local user accounts on the system' + ++{{% if 'rhel' in product %}} ++warnings: ++ - general: |- ++ Automatic remediation of this control is not available. Due the unique ++ requirements of each system. ++{{% endif %}} ++ + ocil: |- + To verify that there are no unauthorized local user accounts, run the following command: +
$ less /etc/passwd 
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh +new file mode 100644 +index 00000000000..6dabaff6bc6 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh +@@ -0,0 +1,2 @@ ++#! /bin/bash ++adduser testuser +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh +new file mode 100644 +index 00000000000..d942f81d04f +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh +@@ -0,0 +1,16 @@ ++#! /bin/bash ++# platform = multi_platform_rhel ++ ++var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$" ++ ++# never delete the root user ++default_os_user="root" ++ ++# delete users that is in /etc/passwd but neither in default_os_user ++# nor in var_accounts_authorized_local_users_regex ++for username in $( sed 's/:.*//' /etc/passwd ) ; do ++ if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]]; ++ then ++ echo $username ; ++ fi ++done +diff --git a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var +similarity index 81% +rename from linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var +rename to linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var +index 81626307321..2f456764617 100644 +--- a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var ++++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var +@@ -22,5 +22,6 @@ operator: pattern match + interactive: true + + options: ++ rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$" + ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$" + saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$" +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index f66b2a24a75..ec2929e8dc4 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -54,6 +54,7 @@ selections: + - sshd_approved_macs=stig + - sshd_approved_ciphers=stig + - sshd_idle_timeout_value=10_minutes ++ - var_accounts_authorized_local_users_regex=rhel8 + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never +@@ -576,7 +577,7 @@ selections: + - accounts_logon_fail_delay + + # RHEL-08-020320 +- # - accounts_authorized_local_users ++ - accounts_authorized_local_users + + # RHEL-08-020330 + - sshd_disable_empty_passwords +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 1d54e8ec15f..3047c2d9b92 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -115,7 +115,6 @@ CCE-85983-5 + CCE-85984-3 + CCE-85985-0 + CCE-85986-8 +-CCE-85987-6 + CCE-85988-4 + CCE-85989-2 + CCE-85990-0 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index fcae79f6d88..9496f1e1d1d 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -27,6 +27,7 @@ selections: + - account_emergency_expire_date + - account_temp_expire_date + - account_unique_id ++- accounts_authorized_local_users + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay + - accounts_max_concurrent_login_sessions +@@ -358,6 +359,7 @@ selections: + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog + - var_auditd_disk_full_action=halt ++- var_accounts_authorized_local_users_regex=rhel8 + - var_system_crypto_policy=fips + - var_sudo_timestamp_timeout=always_prompt + title: DISA STIG for Red Hat Enterprise Linux 8 +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 2bbd1881f51..9e0c648a5f8 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -38,6 +38,7 @@ selections: + - account_emergency_expire_date + - account_temp_expire_date + - account_unique_id ++- accounts_authorized_local_users + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay + - accounts_max_concurrent_login_sessions +@@ -368,6 +369,7 @@ selections: + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog + - var_auditd_disk_full_action=halt ++- var_accounts_authorized_local_users_regex=rhel8 + - var_system_crypto_policy=fips + - var_sudo_timestamp_timeout=always_prompt + title: DISA STIG with GUI for Red Hat Enterprise Linux 8 diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch new file mode 100644 index 0000000..95c3d1f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch @@ -0,0 +1,211 @@ +From 8455c8556a6d828b15ebc62cf511e484dd626a36 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Fri, 16 Jul 2021 13:16:12 -0500 +Subject: [PATCH] Add rules for RHEL-08-030610 + +Added two rules, one for each of the paths mentioned in the STIG. +--- + .../rule.yml | 35 ++++++++++++++++++ + .../tests/correct_permissions.pass.sh | 6 ++++ + .../tests/incorrect_permissions.fail.sh | 6 ++++ + .../rule.yml | 36 +++++++++++++++++++ + .../tests/correct_permissions.pass.sh | 6 ++++ + .../tests/incorrect_permissions.fail.sh | 6 ++++ + products/rhel8/profiles/stig.profile | 2 ++ + shared/references/cce-redhat-avail.txt | 2 -- + .../data/profile_stability/rhel8/stig.profile | 2 ++ + .../profile_stability/rhel8/stig_gui.profile | 2 ++ + 10 files changed, 101 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml +new file mode 100644 +index 0000000000..1cde3ded5f +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Verify Permissions on /etc/audit/auditd.conf' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/audit/auditd.conf", perms="0640") }}} ++ ++ ++rationale: |- ++ Without the capability to restrict the roles and individuals that can select which events ++ are audited, unauthorized personnel may be able to prevent the auditing of critical ++ events. Misconfigured audits may degrade the system's performance by overwhelming ++ the audit log. Misconfigured audits may also make it more difficult to establish, ++ correlate, and investigate the events relating to an incident or identify ++ those responsible for one. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85871-2 ++ ++references: ++ disa: CCI-000171 ++ nist: AU-12(b) ++ srg: SRG-OS-000063-GPOS-00032 ++ stigid@rhel8: RHEL-08-030610 ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/audit/auditd.conf ++ allow_stricter_permissions: "true" ++ filemode: '0640' +diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh +new file mode 100644 +index 0000000000..8c9b782920 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/correct_permissions.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++export TESTFILE=/etc/audit/auditd.conf ++mkdir -p /etc/audit/ ++touch $TESTFILE ++chmod 0640 $TESTFILE +diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh +new file mode 100644 +index 0000000000..a460e0dddd +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_auditd/tests/incorrect_permissions.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++export TESTFILLE=/etc/audit/auditd.conf ++mkdir -p /etc/audit/ ++touch $TESTFILLE ++chmod 0644 $TESTFILLE +diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml +new file mode 100644 +index 0000000000..34e1f30367 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Verify Permissions on /etc/audit/rules.d/*.rules' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/audit/rules.d/*.rules", perms="0640") }}} ++ ++ ++rationale: |- ++ Without the capability to restrict the roles and individuals that can select which events ++ are audited, unauthorized personnel may be able to prevent the auditing of critical ++ events. Misconfigured audits may degrade the system's performance by overwhelming ++ the audit log. Misconfigured audits may also make it more difficult to establish, ++ correlate, and investigate the events relating to an incident or identify ++ those responsible for one. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85875-3 ++ ++references: ++ disa: CCI-000171 ++ nist: AU-12(b) ++ srg: SRG-OS-000063-GPOS-00032 ++ stigid@rhel8: RHEL-08-030610 ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/audit/rules.d/ ++ file_regex: ^.*rules$ ++ allow_stricter_permissions: "true" ++ filemode: '0640' +diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh +new file mode 100644 +index 0000000000..b0a20248c3 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/correct_permissions.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++export TESTFILE=/etc/audit/rules.d/test_rule.rules ++mkdir -p /etc/audit/rules.d/ ++touch $TESTFILE ++chmod 0640 $TESTFILE +diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh +new file mode 100644 +index 0000000000..c7fd3a95e9 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_etc_audit_rulesd/tests/incorrect_permissions.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++export TESTFILLE=/etc/audit/rules.d/test_rule.rules ++mkdir -p /etc/audit/rules.d/ ++touch $TESTFILLE ++chmod 0644 $TESTFILLE +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 26d0aa9922..5a0a520ee0 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -801,6 +801,8 @@ selections: + - configure_usbguard_auditbackend + + # RHEL-08-030610 ++ - file_permissions_etc_audit_auditd ++ - file_permissions_etc_audit_rulesd + + # RHEL-08-030620 + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index ae3375fd4d..24e8149168 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -11,11 +11,9 @@ CCE-85867-0 + CCE-85868-8 + CCE-85869-6 + CCE-85870-4 +-CCE-85871-2 + CCE-85872-0 + CCE-85873-8 + CCE-85874-6 +-CCE-85875-3 + CCE-85876-1 + CCE-85877-9 + CCE-85878-7 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index a1de1f5561..4be3cf93c2 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -123,6 +123,8 @@ selections: + - file_ownership_var_log_audit + - file_permission_user_init_files + - file_permissions_binary_dirs ++- file_permissions_etc_audit_auditd ++- file_permissions_etc_audit_rulesd + - file_permissions_home_directories + - file_permissions_library_dirs + - file_permissions_sshd_private_key +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index b7d2be3af3..20b8a54861 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -134,6 +134,8 @@ selections: + - file_ownership_var_log_audit + - file_permission_user_init_files + - file_permissions_binary_dirs ++- file_permissions_etc_audit_auditd ++- file_permissions_etc_audit_rulesd + - file_permissions_home_directories + - file_permissions_library_dirs + - file_permissions_sshd_private_key diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch new file mode 100644 index 0000000..b3b0009 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch @@ -0,0 +1,327 @@ +From 065b6e540a2aa437ddf5239c97ed4e1fddf43b50 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 26 Jul 2021 09:00:49 -0500 +Subject: [PATCH] Update rule aide_check_audit_tools for RHEL-08-030650 + +--- + .../aide_check_audit_tools/ansible/shared.yml | 27 ++++++++++++------ + .../aide_check_audit_tools/bash/shared.sh | 25 +++++++++++++++++ + .../aide_check_audit_tools/oval/shared.xml | 20 +++++++++++++ + .../aide/aide_check_audit_tools/rule.yml | 28 ++++++++++++------- + .../tests/correct.pass.sh | 15 ++++++++++ + .../tests/correct_with_selinux.pass.sh | 12 ++++++++ + .../tests/not_config.fail.sh | 14 ++++++++++ + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 11 files changed, 126 insertions(+), 19 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +index 73afaeff869..edef272183d 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +@@ -1,18 +1,29 @@ +-# platform = multi_platform_sle ++# platform = multi_platform_sle,multi_platform_rhel + # reboot = false + # strategy = restrict + # complexity = low + # disruption = low + +-- name: Install aide package +- zypper: +- name: aide +- state: latest ++{{% if 'rhel' not in product %}} ++{{% set aide_string = 'p+i+n+u+g+s+b+acl+selinux+xattrs+sha512' %}} ++{{% else %}} ++{{% set aide_string = 'p+i+n+u+g+s+b+acl+xattrs+sha512' %}} ++{{% endif %}} ++ ++ ++ ++- name: Ensure aide is installed ++ package: ++ name: "{{ item }}" ++ state: present ++ with_items: ++ - aide ++ + + - name: Set audit_tools fact + set_fact: + audit_tools: +- - /usr/sbin/audispd ++ {{% if 'rhel' not in product %}}- /usr/sbin/audispd{{% endif %}} + - /usr/sbin/auditctl + - /usr/sbin/auditd + - /usr/sbin/augenrules +@@ -24,11 +35,11 @@ + lineinfile: + path: /etc/aide.conf + regexp: ^{{ item }}\s +- line: "{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" ++ line: "{{ item }} {{{ aide_string }}}" + with_items: "{{ audit_tools }}" + + - name: Configure AIDE to properly protect audit tools + lineinfile: + path: /etc/aide.conf +- line: "{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" ++ line: "{{ item }} {{{ aide_string }}}" + with_items: "{{ audit_tools }}" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +new file mode 100644 +index 00000000000..0875eeec648 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +@@ -0,0 +1,25 @@ ++# platform = multi_platform_rhel ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++. /usr/share/scap-security-guide/remediation_functions ++ ++{{{ bash_package_install("aide") }}} ++ ++{{% set configString = "p+i+n+u+g+s+b+acl+xattrs+sha512" %}} ++{{% set configFile = "/etc/aide.conf" %}} ++{{% for file in ( ++ "/usr/sbin/auditctl", ++ "/usr/sbin/auditd", ++ "/usr/sbin/ausearch", ++ "/usr/sbin/aureport", ++ "/usr/sbin/autrace", ++ "/usr/sbin/augenrules" ) %}} ++ ++if grep -i '^.*{{{file}}}.*$' {{{ configFile }}}; then ++sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ configString }}}#" {{{ configFile }}} ++else ++echo "{{{ file }}} {{{ configString }}}" >> {{{ configFile }}} ++fi ++{{% endfor %}} +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +index 32e6325a3ab..22c6276a1f5 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +@@ -8,13 +8,19 @@ + + + ++ {{% if 'rhel' not in product %}} + ++ {{% endif %}} + + + + + ++ {{% if 'rhel' not in product %}} + p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 ++ {{% else %}} ++ p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512 ++ {{% endif %}} + + + 1 + + ++ ++ ++ ++ ++ ++ /etc/aide.conf ++ ^/usr/sbin/rsyslogd\s+([^\n]+)$ ++ 1 ++ ++ ++ + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml +index 126ee756cc0..17a95bf4b31 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml +@@ -1,11 +1,11 @@ + documentation_complete: true + +-prodtype: sle12,sle15,ubuntu2004 ++prodtype: sle12,sle15,ubuntu2004,rhel8,fedora + + title: 'Configure AIDE to Verify the Audit Tools' + + description: |- +- The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools. ++ The operating system file integrity tool must be configured to protect the integrity of the audit tools. + + rationale: |- + Protecting the integrity of the tools used for auditing purposes is a +@@ -31,32 +31,40 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-85964-5 + cce@sle12: CCE-83204-8 + cce@sle15: CCE-85610-4 + + references: + disa: CCI-001496 +- nist@sle12: AU-9(3),AU-9(3).1 ++ nist: AU-9(3),AU-9(3).1 + srg: SRG-OS-000278-GPOS-00108 ++ stigid@rhel8: RHEL-08-030650 + stigid@sle12: SLES-12-010540 + stigid@sle15: SLES-15-030630 + stigid@ubuntu2004: UBTU-20-010205 + + ocil_clause: 'integrity checks of the audit tools are missing or incomplete' + ++{{% if 'rhel' not in product %}} ++{{% set aide_string = 'p+i+n+u+g+s+b+acl+selinux+xattrs+sha512' %}} ++{{% else %}} ++{{% set aide_string = 'p+i+n+u+g+s+b+acl+xattrs+sha512' %}} ++{{% endif %}} ++ + ocil: |- + Check that AIDE is properly configured to protect the integrity of the + audit tools by running the following command: + +
# sudo cat /etc/aide.conf | grep /usr/sbin/au
+ 
+-    /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+-    /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+-    /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+-    /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+-    /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+-    /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
+-    /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
++ /usr/sbin/auditctl {{{ aide_string }}} ++ /usr/sbin/auditd {{{ aide_string }}} ++ /usr/sbin/ausearch {{{ aide_string }}} ++ /usr/sbin/aureport {{{ aide_string }}} ++ /usr/sbin/autrace {{{ aide_string }}} ++ {{% if 'rhel' not in product %}}/usr/sbin/audispd {{{ aide_string }}}{{% endif %}} ++ /usr/sbin/augenrules {{{ aide_string }}} + + If AIDE is configured properly to protect the integrity of the audit tools, + all lines listed above will be returned from the command. +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +new file mode 100644 +index 00000000000..756b88d8a23 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora ++ ++ ++yum -y install aide ++aide --init ++ ++ ++declare -a bins ++bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') ++ ++for theFile in "${bins[@]}" ++do ++ echo "$theFile p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf ++done +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +new file mode 100644 +index 00000000000..f3a2a126d3d +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora ++ ++yum -y install aide ++ ++declare -a bins ++bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') ++ ++for theFile in "${bins[@]}" ++do ++ echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf ++done +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +new file mode 100644 +index 00000000000..4315cef2073 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora ++ ++ ++yum -y install aide ++aide --init ++ ++declare -a bins ++bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') ++ ++for theFile in "${bins[@]}" ++do ++ echo sed -i "s#^.*${theFile}.*##g" /etc/aide.conf ++done +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 7270a8f91f2..6b3232a9e00 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -822,6 +822,7 @@ selections: + # RHEL-08-030640 + + # RHEL-08-030650 ++ - aide_check_audit_tools + + # RHEL-08-030660 + - auditd_audispd_configure_sufficiently_large_partition +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 665f903ead4..ff557cc2323 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -97,7 +97,6 @@ CCE-85960-3 + CCE-85961-1 + CCE-85962-9 + CCE-85963-7 +-CCE-85964-5 + CCE-85965-2 + CCE-85966-0 + CCE-85967-8 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 7d59cfff625..692a1690b19 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -60,6 +60,7 @@ selections: + - accounts_user_home_paths_only + - accounts_user_interactive_home_directory_defined + - accounts_user_interactive_home_directory_exists ++- aide_check_audit_tools + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 2c2daad6f6d..cf119c02a17 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -71,6 +71,7 @@ selections: + - accounts_user_home_paths_only + - accounts_user_interactive_home_directory_defined + - accounts_user_interactive_home_directory_exists ++- aide_check_audit_tools + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch new file mode 100644 index 0000000..8b40cb8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch @@ -0,0 +1,241 @@ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +new file mode 100644 +index 0000000000..4f88ed361d +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_fedora,multi_platform_rhel ++ ++{{{ ansible_set_config_file(file="/etc/audit/auditd.conf", ++ parameter="overflow_action", ++ value="syslog", ++ separator="=", ++ separator_regex="=", ++ prefix_regex="^\s*") }}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +new file mode 100644 +index 0000000000..539b9b6582 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +@@ -0,0 +1,12 @@ ++# platform = multi_platform_fedora,multi_platform_rhel ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{set_config_file(path="/etc/audit/auditd.conf", ++ parameter="overflow_action", ++ value="syslog", ++ separator="=", ++ separator_regex="=", ++ prefix_regex="^\s*")}}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml +new file mode 100644 +index 0000000000..fd45280e4e +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml +@@ -0,0 +1,6 @@ ++{{{ oval_check_config_file( ++ path="/etc/audit/auditd.conf", ++ prefix_regex="^(?:.*\\n)*\s*", ++ parameter="overflow_action", ++ value="syslog|single|halt", ++ separator_regex="\s*=\s*") }}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml +new file mode 100644 +index 0000000000..d41ca00076 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full ++ ++description: |- ++ The audit system should have an action setup in the event the internal event queue becomes full. ++ To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action ++ to one of the following values: syslog, single, halt. ++ ++ ++rationale: |- ++ The audit system should have an action setup in the event the internal event queue becomes full ++ so that no data is lost. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85889-4 ++ ++references: ++ disa: CCI-001851 ++ nist: AU-4(1) ++ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 ++ stigid@rhel8: RHEL-08-030700 ++ ++ocil_clause: 'auditd overflow action is not setup correctly' ++ ++ocil: |- ++ Verify the audit system is configured to take an appropriate action when the internal event queue is full: ++
$ sudo grep -i overflow_action /etc/audit/auditd.conf
++ ++ The output should contain be like overflow_action = syslog ++ ++ If the value of the "overflow_action" option is not set to syslog, ++ single, halt or the line is commented out, ask the System Administrator ++ to indicate how the audit logs are off-loaded to a different system or media. +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh +new file mode 100644 +index 0000000000..ec7525b195 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++ ++echo "# overflow_action = syslog" >> /etc/audit/auditd.conf +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh +new file mode 100644 +index 0000000000..e4d173ab37 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++ ++if [[ -f $config_file ]]; then ++ echo '' > $config_file ++fi +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh +new file mode 100644 +index 0000000000..f26cd7cddf +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++config_file=/etc/audit/auditd.conf ++ ++if [[ -f $config_file ]]; then ++ rm -f $config_file ++fi +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh +new file mode 100644 +index 0000000000..0ec591b25b +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++ ++echo "overflow_action = halt" >> /etc/audit/auditd.conf +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh +new file mode 100644 +index 0000000000..236ad543fe +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++ ++echo "overflow_action = ignore" >> /etc/audit/auditd.conf +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh +new file mode 100644 +index 0000000000..74efdcafee +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++config_file=/etc/audit/auditd.conf ++sed -i "s/^.*overflow_action.*$//" $config_file +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh +new file mode 100644 +index 0000000000..de11126320 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# Use this script to ensure the audit directory structure and audit conf file ++# exist in the test env. ++config_file=/etc/audit/auditd.conf ++ ++# Ensure directory structure exists (useful for container based testing) ++test -d /etc/audit/ || mkdir -p /etc/audit/ ++ ++test -f $config_file || touch $config_file +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh +new file mode 100644 +index 0000000000..f9fa7a935c +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++ ++echo "overflow_action = single" >> /etc/audit/auditd.conf +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh +new file mode 100644 +index 0000000000..1c625fb752 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# Ensure test system has proper directories/files for test scenario ++bash -x setup.sh ++ ++echo "overflow_action = syslog" >> /etc/audit/auditd.conf +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 6372d13cfc..5cac78e00d 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -826,6 +826,7 @@ selections: + - rsyslog_remote_loghost + + # RHEL-08-030700 ++ - auditd_overflow_action + + # RHEL-08-030710 + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 24e8149168..b3d9596e1f 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -27,7 +27,6 @@ CCE-85885-2 + CCE-85886-0 + CCE-85887-8 + CCE-85888-6 +-CCE-85889-4 + CCE-85890-2 + CCE-85891-0 + CCE-85892-8 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 32f1a24a7a..c9d23ed1dc 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -73,6 +73,7 @@ selections: + - auditd_local_events + - auditd_log_format + - auditd_name_format ++- auditd_overflow_action + - banner_etc_issue + - bios_enable_execution_restrictions + - chronyd_client_only +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index d6a27c67dc..7303145141 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -84,6 +84,7 @@ selections: + - auditd_local_events + - auditd_log_format + - auditd_name_format ++- auditd_overflow_action + - banner_etc_issue + - bios_enable_execution_restrictions + - chronyd_client_only diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch new file mode 100644 index 0000000..41d206c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch @@ -0,0 +1,480 @@ +From 2f38b61e9b6b26dab05443a9bf03642971cbeeef Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Fri, 23 Jul 2021 16:32:15 -0500 +Subject: [PATCH] Add new rule for RHEL-08-030710 + +--- + .../ansible/shared.yml | 5 +++ + .../bash/shared.sh | 6 +++ + .../oval/shared.xml | 44 +++++++++++++++++++ + .../rule.yml | 38 ++++++++++++++++ + .../tests/default_no_pass.fail.sh | 7 +++ + .../tests/rsyslog.pass.sh | 4 ++ + .../tests/rsyslog_wrong_value.fail.sh | 4 ++ + .../tests/rsyslogd.pass.sh | 4 ++ + .../tests/rsyslogd_wrong_value.fail.sh | 4 ++ + .../tests/setup.sh | 9 ++++ + .../ansible/shared.yml | 5 +++ + .../bash/shared.sh | 5 +++ + .../oval/shared.xml | 44 +++++++++++++++++++ + .../rule.yml | 38 ++++++++++++++++ + .../tests/default_no_pass.fail.sh | 7 +++ + .../tests/rsyslog.pass.sh | 4 ++ + .../tests/rsyslog_wrong_value.fail.sh | 4 ++ + .../tests/rsyslogd.pass.sh | 4 ++ + .../tests/rsyslogd_wrong_value.fail.sh | 4 ++ + .../tests/setup.sh | 9 ++++ + products/rhel8/profiles/stig.profile | 2 + + shared/references/cce-redhat-avail.txt | 2 - + .../data/profile_stability/rhel8/stig.profile | 2 + + .../profile_stability/rhel8/stig_gui.profile | 2 + + 24 files changed, 255 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml +new file mode 100644 +index 0000000000..2d6c5227a8 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml +@@ -0,0 +1,5 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++ ++{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf", ++ parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ") ++}}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh +new file mode 100644 +index 0000000000..36853d1786 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++ ++{{{ set_config_file(path="/etc/rsyslog.d/encrypt.conf", ++ parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ") ++}}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml +new file mode 100644 +index 0000000000..d21f8af1e4 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml +@@ -0,0 +1,44 @@ ++ ++ ++ ++ {{{ oval_metadata("Rsyslogd must encrypt the off-loading of logs off of the system.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^\$ActionSendStreamDriverMode 1$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.d ++ ^.*conf$ ++ ^\$ActionSendStreamDriverMode 1$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml +new file mode 100644 +index 0000000000..1bcc33927b +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++title: Ensure Rsyslog Encrypts Off-Loaded Audit Records ++ ++description: |- ++ Rsyslogd is a system utility providing support for message logging. Support ++ for both internet and UNIX domain sockets enables this utility to support both local ++ and remote logging. Couple this utility with gnutls (which is a secure communications ++ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely ++ encrypt and off-load auditing. ++ ++ When using rsyslogd to off-load logs off a encrpytion system must be used. ++ ++rationale: |- ++ The audit records generated by Rsyslog contain valuable information regarding system ++ configuration, user authentication, and other such information. Audit records should be ++ protected from unauthorized access. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-86098-1 ++ ++references: ++ disa: CCI-001851 ++ nist: AU-4(1) ++ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 ++ stigid@rhel8: RHEL-08-030710 ++ ++ocil_clause: 'rsyslogd ActionSendStreamDriverMode not set to 1' ++ ++ocil: |- ++ Verify the operating system encrypts audit records off-loaded onto a different system ++ or media from the system being audited with the following commands: ++ ++
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
++ The output should be ++
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh +new file mode 100644 +index 0000000000..3ee5384371 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++if [[ -f encrypt.conf ]]; then ++ sed -i i/\$ActionSendStreamDriverMod//g /etc/rsyslog.d/encrypt.conf ++fi ++ sed -i i/\$ActionSendStreamDriverMod//g /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh +new file mode 100644 +index 0000000000..34105aaa85 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverMode 1" >> /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh +new file mode 100644 +index 0000000000..db87b2956c +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverMode 0" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh +new file mode 100644 +index 0000000000..25e7cdf783 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverMode 1" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh +new file mode 100644 +index 0000000000..d37882acf3 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverMode 0" >> /etc/rsyslog +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh +new file mode 100644 +index 0000000000..9686f16bcc +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# Use this script to ensure the rsyslog directory structure and rsyslog conf file ++# exist in the test env. ++config_file=/etc/rsyslog.conf ++ ++# Ensure directory structure exists (useful for container based testing) ++test -f $config_file || touch $config_file ++ ++test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml +new file mode 100644 +index 0000000000..2ddbfb871f +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml +@@ -0,0 +1,5 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++ ++{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf", ++ parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ") ++}}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh +new file mode 100644 +index 0000000000..3955346cd3 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++{{{ set_config_file(path="/etc/rsyslog.d/encrypt.conf", ++ parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ") ++}}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml +new file mode 100644 +index 0000000000..71d39c179d +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml +@@ -0,0 +1,44 @@ ++ ++ ++ ++ {{{ oval_metadata("Rsyslogd must encrypt the off-loading of logs off of the system.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^\$DefaultNetstreamDriver gtls$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.d ++ ^.*conf$ ++ ^\$DefaultNetstreamDriver gtls$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml +new file mode 100644 +index 0000000000..eff85d3fae +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++title: Ensure Rsyslog Encrypts Off-Loaded Audit Records ++ ++description: |- ++ Rsyslogd is a system utility providing support for message logging. Support ++ for both internet and UNIX domain sockets enables this utility to support both local ++ and remote logging. Couple this utility with gnutls (which is a secure communications ++ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely ++ encrypt and off-load auditing. ++ ++ When using rsyslogd to off-load logs off a encrpytion system must be used. ++ ++rationale: |- ++ The audit records generated by Rsyslog contain valuable information regarding system ++ configuration, user authentication, and other such information. Audit records should be ++ protected from unauthorized access. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85992-6 ++ ++references: ++ disa: CCI-001851 ++ nist: AU-4(1) ++ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 ++ stigid@rhel8: RHEL-08-030710 ++ ++ocil_clause: 'rsyslogd DefaultNetstreamDriver not set to gtls' ++ ++ocil: |- ++ Verify the operating system encrypts audit records off-loaded onto a different system ++ or media from the system being audited with the following commands: ++ ++
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
++ The output should be ++
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh +new file mode 100644 +index 0000000000..6ab43bfc0d +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++if [[ -f encrypt.conf ]]; then ++ sed -i i/\$DefaultNetstreamDriver*.$//g /etc/rsyslog.d/encrypt.conf ++fi ++ sed -i i/\$DefaultNetstreamDriver*.$//g /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh +new file mode 100644 +index 0000000000..40f1bfe087 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$DefaultNetstreamDriver gtls" >> /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh +new file mode 100644 +index 0000000000..30a1d5b43a +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$DefaultNetstreamDriver none" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh +new file mode 100644 +index 0000000000..44715bca66 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$DefaultNetstreamDriver gtls" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh +new file mode 100644 +index 0000000000..30a1d5b43a +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$DefaultNetstreamDriver none" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh +new file mode 100644 +index 0000000000..9686f16bcc +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# Use this script to ensure the rsyslog directory structure and rsyslog conf file ++# exist in the test env. ++config_file=/etc/rsyslog.conf ++ ++# Ensure directory structure exists (useful for container based testing) ++test -f $config_file || touch $config_file ++ ++test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/ +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 6372d13cfc..1cc53cf1e1 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -828,6 +828,8 @@ selections: + - auditd_overflow_action + + # RHEL-08-030710 ++ - rsyslog_encrypt_offload_defaultnetstreamdriver ++ - rsyslog_encrypt_offload_actionsendstreamdrivermode + + # RHEL-08-030720 + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 24e8149168..fdf69f6baa 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -129,7 +129,6 @@ CCE-85988-4 + CCE-85989-2 + CCE-85990-0 + CCE-85991-8 +-CCE-85992-6 + CCE-85993-4 + CCE-85994-2 + CCE-85995-9 +@@ -235,7 +234,6 @@ CCE-86094-0 + CCE-86095-7 + CCE-86096-5 + CCE-86097-3 +-CCE-86098-1 + CCE-86099-9 + CCE-86100-5 + CCE-86101-3 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 32f1a24a7a..c0ef381696 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -228,6 +228,8 @@ selections: + - require_singleuser_auth + - root_permissions_syslibrary_files + - rsyslog_cron_logging ++- rsyslog_encrypt_offload_actionsendstreamdrivermode ++- rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_access_monitoring + - rsyslog_remote_loghost + - security_patches_up_to_date +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index d6a27c67dc..5adeea4a35 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -239,6 +239,8 @@ selections: + - require_singleuser_auth + - root_permissions_syslibrary_files + - rsyslog_cron_logging ++- rsyslog_encrypt_offload_actionsendstreamdrivermode ++- rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_access_monitoring + - rsyslog_remote_loghost + - security_patches_up_to_date diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch new file mode 100644 index 0000000..c027a03 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch @@ -0,0 +1,389 @@ +From fbaa0ae639fbb001e4c9e92d9e35f9dd9309d605 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 9 Aug 2021 10:56:36 -0500 +Subject: [PATCH 1/2] Allow set_config_file bash macro and lineinfile to set a + custom sed path separator + +So that if the text has '/' in it the sed path separator can be changed. +--- + .../developer/06_contributing_with_content.md | 3 +++ + shared/macros-bash.jinja | 23 ++++++++++--------- + shared/templates/lineinfile/bash.template | 6 ++++- + 3 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md +index 245db1550de..c0d62bef5ca 100644 +--- a/docs/manual/developer/06_contributing_with_content.md ++++ b/docs/manual/developer/06_contributing_with_content.md +@@ -1572,6 +1572,9 @@ the following to `rule.yml`: + - **oval_extend_definitions** - optional, list of additional OVAL + definitions that have to pass along the generated check. + ++ **sed_path_separator** - optional, default is `/`, sets the sed path separator. Set this ++ to a character like `#` if `/` is in use in your text. ++ + - Languages: Ansible, Bash, OVAL + + +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index d654a0e0e89..7af8038a783 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -444,11 +444,12 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 + # separator_regex: regular expression that describes the separator and surrounding whitespace + # prefix_regex: regular expression describing allowed leading characters at each line + #}} +-{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}} +- {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}} ++ ++{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}} + {{%- set new_line = parameter+separator+value -%}} ++ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}} + if [ -e "{{{ path }}}" ] ; then +- {{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}} ++ {{{ lineinfile_absent(path, line_regex, insensitive, sed_path_separator=sed_path_separator) | indent(4) }}} + else + {{%- if create %}} + touch "{{{ path }}}" +@@ -456,19 +457,19 @@ else + {{{ die("Path '" + path + "' wasn't found on this system. Refusing to continue.", action="return") | indent(4) }}} + {{%- endif %}} + fi +-{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive) }}} ++{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive, sed_path_separator=sed_path_separator) }}} + {{%- endmacro -%}} + +-{{%- macro lineinfile_absent(path, regex, insensitive=true) -%}} ++{{%- macro lineinfile_absent(path, regex, insensitive=true, sed_path_separator="/") -%}} + {{%- if insensitive -%}} + {{%- set modifier="Id" -%}} + {{%- else -%}} + {{%- set modifier="d" -%}} + {{%- endif -%}} +- {{% if '/' in regex %}} +- {{{ raise("regex (" + regex + ") uses sed path separator (/) in " + rule_id) }}} ++ {{% if sed_path_separator in regex %}} ++ {{{ raise("regex (" + regex + ") uses sed path separator (" + sed_path_separator + ") in " + rule_id) }}} + {{% endif %}} +-LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}" ++LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}" + {{%- endmacro -%}} + + {{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}} +@@ -480,7 +481,7 @@ LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}" + LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/* + {{%- endmacro -%}} + +-{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}} ++{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true, sed_path_separator="/") -%}} + {{%- if insensitive -%}} + {{%- set grep_args="-q -m 1 -i" -%}} + {{%- else -%}} +@@ -496,7 +497,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}" + cat "{{{ path }}}.bak" >> "{{{ path }}}" + {{%- elif insert_after %}} + # Insert after the line matching the regex '{{{ insert_after }}}' +-line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" ++line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's{{{sed_path_separator}}}:.*{{{sed_path_separator}}}{{{sed_path_separator}}}g')" + if [ -z "$line_number" ]; then + # There was no match of '{{{ insert_after }}}', insert at + # the end of the file. +@@ -508,7 +509,7 @@ else + fi + {{%- elif insert_before %}} + # Insert before the line matching the regex '{{{ insert_before }}}'. +-line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" ++line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's{{{sed_path_separator}}}:.*{{{sed_path_separator}}}{{{sed_path_separator}}}g')" + if [ -z "$line_number" ]; then + # There was no match of '{{{ insert_before }}}', insert at + # the end of the file. +diff --git a/shared/templates/lineinfile/bash.template b/shared/templates/lineinfile/bash.template +index 0e43e88842a..6d1ca349268 100644 +--- a/shared/templates/lineinfile/bash.template ++++ b/shared/templates/lineinfile/bash.template +@@ -4,4 +4,8 @@ + # complexity = low + # disruption = low + +-{{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*") -}}} ++{{% if SED_PATH_SEPARATOR %}} ++ {{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*", sed_path_separator=SED_PATH_SEPARATOR) -}}} ++{{% else %}} ++ {{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*") -}}} ++{{% endif %}} + +From 4b3182bd5d5308fed16f58da9656aa76a4275569 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 9 Aug 2021 13:56:32 -0500 +Subject: [PATCH 2/2] Add new rule for RHEL-08-030720 + +--- + .../ansible/shared.yml | 9 ++++ + .../bash/shared.sh | 11 +++++ + .../oval/shared.xml | 43 +++++++++++++++++++ + .../rule.yml | 40 +++++++++++++++++ + .../tests/default_no_pass.fail.sh | 7 +++ + .../tests/rsyslog.pass.sh | 4 ++ + .../tests/rsyslog_wrong_value.fail.sh | 4 ++ + .../tests/rsyslogd.pass.sh | 4 ++ + .../tests/rsyslogd_wrong_value.fail.sh | 4 ++ + .../tests/setup.sh | 9 ++++ + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 14 files changed, 138 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml +new file mode 100644 +index 00000000000..637f90003b2 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml +@@ -0,0 +1,9 @@ ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf", ++ "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s', ++ value="x509/name", create='yes') }}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh +new file mode 100644 +index 00000000000..71d312f332f +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh +@@ -0,0 +1,11 @@ ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++if ! grep -s "\$ActionSendStreamDriverAuthMode\s*x509/name" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then ++ mkdir -p /etc/rsyslog.d ++ sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf ++ echo "\$ActionSendStreamDriverAuthMode x509/name" > /etc/rsyslog.d/stream_driver_auth.conf ++fi +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml +new file mode 100644 +index 00000000000..8e1ec48a974 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml +@@ -0,0 +1,43 @@ ++ ++ ++ {{{ oval_metadata("Rsyslogd must authenticate remote system its sending logs to.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^\$ActionSendStreamDriverAuthMode x509/name$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.d ++ ^.*conf$ ++ ^\$ActionSendStreamDriverAuthMode x509/name$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml +new file mode 100644 +index 00000000000..beaf8ce96da +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++title: Ensure Rsyslog Authenticates Off-Loaded Audit Records ++ ++description: |- ++ Rsyslogd is a system utility providing support for message logging. Support ++ for both internet and UNIX domain sockets enables this utility to support both local ++ and remote logging. Couple this utility with gnutls (which is a secure communications ++ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely ++ encrypt and off-load auditing. ++ ++ When using rsyslogd to off-load logs the remote system must be authenticated. ++ ++rationale: |- ++ The audit records generated by Rsyslog contain valuable information regarding system ++ configuration, user authentication, and other such information. Audit records should be ++ protected from unauthorized access. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-86339-9 ++ ++references: ++ disa: CCI-001851 ++ nist: AU-4(1) ++ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 ++ stigid@rhel8: RHEL-08-030720 ++ ++ ++ocil_clause: '$ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name' ++ ++ocil: |- ++ Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: ++ ++
$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
++ The output should be ++
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh +new file mode 100644 +index 00000000000..54d70f6b85f +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++if [[ -f encrypt.conf ]]; then ++ sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf ++fi ++ sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh +new file mode 100644 +index 00000000000..fe3db6f9c41 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh +new file mode 100644 +index 00000000000..bad06fba0e9 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverAuthMode 0" >> /etc/rsyslog.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh +new file mode 100644 +index 00000000000..ab511daecc7 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh +new file mode 100644 +index 00000000000..02bf64747a7 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++bash -x setup.sh ++ ++echo "\$ActionSendStreamDriverAuthMode x509/certvalid" >> /etc/rsyslog.d/encrypt.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh +new file mode 100644 +index 00000000000..9686f16bcc9 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# Use this script to ensure the rsyslog directory structure and rsyslog conf file ++# exist in the test env. ++config_file=/etc/rsyslog.conf ++ ++# Ensure directory structure exists (useful for container based testing) ++test -f $config_file || touch $config_file ++ ++test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/ +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index ec0a3b17537..382247057cd 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -854,6 +854,7 @@ selections: + - rsyslog_encrypt_offload_actionsendstreamdrivermode + + # RHEL-08-030720 ++ - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + + # RHEL-08-030730 + # this rule expects configuration in MB instead percentage as how STIG demands +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 61384c108a0..03211442aba 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -460,7 +460,6 @@ CCE-86335-7 + CCE-86336-5 + CCE-86337-3 + CCE-86338-1 +-CCE-86339-9 + CCE-86340-7 + CCE-86341-5 + CCE-86342-3 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index bffa509b698..481e7b28228 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -238,6 +238,7 @@ selections: + - require_singleuser_auth + - root_permissions_syslibrary_files + - rsyslog_cron_logging ++- rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_access_monitoring +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index c84ac75c7bf..7fb3d892a30 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -249,6 +249,7 @@ selections: + - require_singleuser_auth + - root_permissions_syslibrary_files + - rsyslog_cron_logging ++- rsyslog_encrypt_offload_actionsendstreamdriverauthmode + - rsyslog_encrypt_offload_actionsendstreamdrivermode + - rsyslog_encrypt_offload_defaultnetstreamdriver + - rsyslog_remote_access_monitoring diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch new file mode 100644 index 0000000..03137f6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch @@ -0,0 +1,357 @@ +From 2f4ddb4297f2a14e2bde3b32f76347e2bbe2cb2d Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Thu, 19 Aug 2021 09:47:42 -0500 +Subject: [PATCH] Add new rule for RHEL-07-030330 and RHEL-08-030730 + +This new rule is copy of auditd_data_retention_space_left, but +setup to allow for percentages. +--- + .../auditd_data_retention_space_left/rule.yml | 2 - + .../ansible/shared.yml | 15 ++++++ + .../bash/shared.sh | 7 +++ + .../oval/shared.xml | 32 +++++++++++++ + .../rule.yml | 47 +++++++++++++++++++ + .../tests/no_percent_sign.fail.sh | 6 +++ + .../space_left_greater_than_minimum.pass.sh | 6 +++ + .../tests/space_left_minimum_value.pass.sh | 6 +++ + .../tests/space_left_not_enough.fail.sh | 6 +++ + .../tests/space_left_not_there.fail.sh | 6 +++ + .../var_auditd_space_left_percentage.var | 15 ++++++ + products/rhel7/profiles/stig.profile | 3 +- + products/rhel8/profiles/stig.profile | 7 +-- + shared/references/cce-redhat-avail.txt | 2 - + .../data/profile_stability/rhel8/stig.profile | 3 +- + .../profile_stability/rhel8/stig_gui.profile | 3 +- + 16 files changed, 156 insertions(+), 10 deletions(-) + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index 7fd0470df8..a652d15d0d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -39,8 +39,6 @@ references: + pcidss: Req-10.7 + srg: SRG-OS-000343-GPOS-00134 + stigid@ol7: OL07-00-030330 +- stigid@rhel7: RHEL-07-030330 +- stigid@rhel8: RHEL-08-030730 + stigid@sle12: SLES-12-020030 + stigid@sle15: SLES-15-030700 + stigid@ubuntu2004: UBTU-20-010217 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml +new file mode 100644 +index 0000000000..ea52773bd3 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/ansible/shared.yml +@@ -0,0 +1,15 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("var_auditd_space_left_percentage") }}} ++ ++- name: Configure auditd space_left on Low Disk Space ++ lineinfile: ++ dest: /etc/audit/auditd.conf ++ line: "space_left = {{ var_auditd_space_left_percentage }}%" ++ regexp: '^\s*space_left\s*=\s*.*$' ++ state: present ++ create: yes ++ #notify: reload auditd +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh +new file mode 100644 +index 0000000000..6cc3e9ecbe +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_all ++. /usr/share/scap-security-guide/remediation_functions ++{{{ bash_instantiate_variables("var_auditd_space_left_percentage") }}} ++ ++grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ ++ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left_percentage%/g" /etc/audit/auditd.conf || \ ++ echo "space_left = $var_auditd_space_left_percentage%" >> /etc/audit/auditd.conf +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml +new file mode 100644 +index 0000000000..2fcd222d29 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/oval/shared.xml +@@ -0,0 +1,32 @@ ++ ++ ++ {{{ oval_metadata("space_left setting in /etc/audit/auditd.conf is set to at least a certain value") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[\s]*space_left[\s]+=[\s]+(\d+)%[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml +new file mode 100644 +index 0000000000..ea9d9fcc6b +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/rule.yml +@@ -0,0 +1,47 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel7,rhel8,rhel9 ++ ++title: 'Configure auditd space_left on Low Disk Space' ++ ++description: |- ++ The auditd service can be configured to take an action ++ when disk space is running low but prior to running out of space completely. ++ Edit the file /etc/audit/auditd.conf. Add or modify the following line, ++ substituting PERCENTAGE appropriately: ++
space_left = PERCENTAGE%
++ Set this value to at least 25 to cause the system to ++ notify the user of an issue. ++ ++rationale: |- ++ Notifying administrators of an impending disk space problem may allow them to ++ take corrective action prior to any disruption. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-86056-9 ++ cce@rhel8: CCE-86055-1 ++ ++references: ++ cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 ++ cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 ++ disa: CCI-001855 ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2' ++ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 ++ nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) ++ nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.7 ++ srg: SRG-OS-000343-GPOS-00134 ++ stigid@rhel7: RHEL-07-030330 ++ stigid@rhel8: RHEL-08-030730 ++ vmmsrg: SRG-OS-000343-VMM-001240 ++ ++ocil_clause: 'the system is not configured with a specific percentage to notify administrators of an issue' ++ ++ocil: |- ++ Inspect /etc/audit/auditd.conf and locate the following line to ++ determine if the system is configured correctly: ++
space_left PERCENTAGE%
++ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh +new file mode 100644 +index 0000000000..2e90ce1d7b +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/no_percent_sign.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# variables = var_auditd_space_left_percentage=25 ++ ++. $SHARED/auditd_utils.sh ++prepare_auditd_test_enviroment ++set_parameters_value /etc/audit/auditd.conf "space_left" "25" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh +new file mode 100644 +index 0000000000..135d6e4258 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_greater_than_minimum.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# variables = var_auditd_space_left_percentage=25 ++ ++. $SHARED/auditd_utils.sh ++prepare_auditd_test_enviroment ++set_parameters_value /etc/audit/auditd.conf "space_left" "35%" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh +new file mode 100644 +index 0000000000..10d652e80e +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_minimum_value.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# variables = var_auditd_space_left_percentage=25 ++ ++. $SHARED/auditd_utils.sh ++prepare_auditd_test_enviroment ++set_parameters_value /etc/audit/auditd.conf "space_left" "25%" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh +new file mode 100644 +index 0000000000..0bf7694b15 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_enough.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# variables = var_auditd_space_left_percentage=25 ++ ++. $SHARED/auditd_utils.sh ++prepare_auditd_test_enviroment ++set_parameters_value /etc/audit/auditd.conf "space_left" "15%" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh +new file mode 100644 +index 0000000000..34ac5595c6 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_percentage/tests/space_left_not_there.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# variables = var_auditd_space_left_percentage=25 ++ ++. $SHARED/auditd_utils.sh ++prepare_auditd_test_enviroment ++delete_parameter /etc/audit/auditd.conf "space_left" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var +new file mode 100644 +index 0000000000..427a1d4bfa +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/var_auditd_space_left_percentage.var +@@ -0,0 +1,15 @@ ++documentation_complete: true ++ ++title: 'The percentage remaining in disk space before prompting space_left_action' ++ ++description: 'The setting for space_left as a percentage in /etc/audit/auditd.conf' ++ ++type: number ++ ++interactive: true ++ ++options: ++ 25pc: 25 ++ 50pc: 50 ++ 75pc: 75 ++ default: 25 +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index 9ca1360005..67e22982cd 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -50,6 +50,7 @@ selections: + - var_removable_partition=dev_cdrom + - var_auditd_action_mail_acct=root + - var_auditd_space_left_action=email ++ - var_auditd_space_left_percentage=25pc + - var_accounts_user_umask=077 + - var_password_pam_retry=3 + - var_accounts_max_concurrent_login_sessions=10 +@@ -178,8 +179,8 @@ selections: + - auditd_audispd_configure_remote_server + - auditd_audispd_encrypt_sent_records + - auditd_audispd_disk_full_action +- - auditd_data_retention_space_left + - auditd_data_retention_space_left_action ++ - auditd_data_retention_space_left_percentage + - auditd_data_retention_action_mail_acct + - audit_rules_suid_privilege_function + - audit_rules_dac_modification_chown +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 36f384621a..10dbc1501b 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -65,7 +65,7 @@ selections: + - var_auditd_action_mail_acct=root + - var_time_service_set_maxpoll=18_hours + - var_accounts_maximum_age_login_defs=60 +- - var_auditd_space_left=250MB ++ - var_auditd_space_left_percentage=25pc + - var_auditd_space_left_action=email + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog +@@ -922,8 +922,9 @@ selections: + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + + # RHEL-08-030730 +- # this rule expects configuration in MB instead percentage as how STIG demands +- # - auditd_data_retention_space_left ++ - auditd_data_retention_space_left_percentage ++ ++ # RHEL-08-030731 + - auditd_data_retention_space_left_action + + # RHEL-08-030740 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 6c33c2e85f..fcb8125ca4 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -170,8 +170,6 @@ CCE-86051-0 + CCE-86052-8 + CCE-86053-6 + CCE-86054-4 +-CCE-86055-1 +-CCE-86056-9 + CCE-86057-7 + CCE-86058-5 + CCE-86059-3 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index f3e6c4fa1a..09a5bc3174 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -140,6 +140,7 @@ selections: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_max_log_file_action + - auditd_data_retention_space_left_action ++- auditd_data_retention_space_left_percentage + - auditd_local_events + - auditd_log_format + - auditd_name_format +@@ -422,7 +423,7 @@ selections: + - var_auditd_action_mail_acct=root + - var_time_service_set_maxpoll=18_hours + - var_accounts_maximum_age_login_defs=60 +-- var_auditd_space_left=250MB ++- var_auditd_space_left_percentage=25pc + - var_auditd_space_left_action=email + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index b5b60349a8..5b631a3fe0 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -151,6 +151,7 @@ selections: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_max_log_file_action + - auditd_data_retention_space_left_action ++- auditd_data_retention_space_left_percentage + - auditd_local_events + - auditd_log_format + - auditd_name_format +@@ -432,7 +433,7 @@ selections: + - var_auditd_action_mail_acct=root + - var_time_service_set_maxpoll=18_hours + - var_accounts_maximum_age_login_defs=60 +-- var_auditd_space_left=250MB ++- var_auditd_space_left_percentage=25pc + - var_auditd_space_left_action=email + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog diff --git a/SOURCES/scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch b/SOURCES/scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch new file mode 100644 index 0000000..c474d79 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch @@ -0,0 +1,66 @@ +From 994b50e9a47e222c2a27fde231cbf3e2f6f77aed Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Fri, 6 Aug 2021 15:26:28 -0500 +Subject: [PATCH] Select sysctl_net_core_bpf_jit_harden for RHEL-08-040286 + +--- + .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml | 3 +++ + products/rhel8/profiles/stig.profile | 3 +++ + tests/data/profile_stability/rhel8/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + + 4 files changed, 8 insertions(+) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +index 9a1096cc72..31b7183b87 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +@@ -19,8 +19,11 @@ identifiers: + cce@rhel9: CCE-83966-2 + + references: ++ disa: CCI-000366 ++ nist: CM-6b + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040286 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.core.bpf_jit_harden", value="2") }}} + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 0a1fdd15ca..a358f61dba 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1149,6 +1149,9 @@ selections: + # RHEL-08-040285 + - sysctl_net_ipv4_conf_all_rp_filter + ++ # RHEL-08-040286 ++ - sysctl_net_core_bpf_jit_harden ++ + # RHEL-08-040290 + # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation + # there needs to be a new platform check to identify when postfix is installed or not +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index d7e2f71376..7d54a7505f 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -359,6 +359,7 @@ selections: + - sysctl_kernel_randomize_va_space + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_kernel_yama_ptrace_scope ++- sysctl_net_core_bpf_jit_harden + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_rp_filter +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 7c95e31545..97291230e7 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -370,6 +370,7 @@ selections: + - sysctl_kernel_randomize_va_space + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_kernel_yama_ptrace_scope ++- sysctl_net_core_bpf_jit_harden + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_rp_filter diff --git a/SOURCES/scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch b/SOURCES/scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch new file mode 100644 index 0000000..21bd64a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch @@ -0,0 +1,121 @@ +From 3d24d93e200f53f3845fffbc8764b8e48517c7b2 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 16:57:50 +0200 +Subject: [PATCH] Assign RHEL-08-020240 to account_unique_id and add test + scenarios. + +--- + .../accounts-restrictions/account_unique_id/oval/shared.xml | 2 +- + .../accounts-restrictions/account_unique_id/rule.yml | 4 +++- + .../account_unique_id/tests/correct_value.pass.sh | 2 ++ + .../account_unique_id/tests/wrong_value.fail.sh | 5 +++++ + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + tests/data/profile_stability/rhel8/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + + 8 files changed, 14 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml +index be45c518115..491ad4587ee 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/oval/shared.xml +@@ -7,7 +7,7 @@ + + + +- ++ + + .* + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +index 731632f7f5a..e55901dbdc5 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +@@ -12,6 +12,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-85857-1 ++ cce@rhel8: CCE-89903-9 + cce@sle12: CCE-83196-6 + cce@sle15: CCE-83277-4 + +@@ -19,7 +20,8 @@ references: + cis@rhel7: 6.2.7 + disa: CCI-000764,CCI-000804 + nist@sle12: IA-2,IA-2.1,IA-8,IA-8.1 +- srg: SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062 ++ srg: SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062,SRG-OS-000042-GPOS-00020 ++ stigid@rhel8: RHEL-08-020240 + stigid@sle12: SLES-12-010640 + stigid@sle15: SLES-15-010230 + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..645c46eb847 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/correct_value.pass.sh +@@ -0,0 +1,2 @@ ++#!/bin/bash ++# remediation = none +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..cc7f2215041 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/tests/wrong_value.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# remediation = none ++ ++echo "test_user:x:30090:30090:Test User:/home/test_user:/usr/bin/bash" >> /etc/passwd ++echo "test_user_2:x:30090:30090:Test User 2:/home/test_user_2:/usr/bin/bash" >> /etc/passwd +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index ec0a3b17537..bdddfef846f 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -552,6 +552,7 @@ selections: + - accounts_password_minlen_login_defs + + # RHEL-08-020240 ++ - account_unique_id + + # RHEL-08-020250 + - sssd_enable_smartcards +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 61384c108a0..1d54e8ec15f 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -3969,7 +3969,6 @@ CCE-89899-9 + CCE-89900-5 + CCE-89901-3 + CCE-89902-1 +-CCE-89903-9 + CCE-89904-7 + CCE-89905-4 + CCE-89906-2 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index bffa509b698..71dd6330a16 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -26,6 +26,7 @@ selections: + - account_disable_post_pw_expiration + - account_emergency_expire_date + - account_temp_expire_date ++- account_unique_id + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay + - accounts_max_concurrent_login_sessions +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index c84ac75c7bf..3e788b27bac 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -37,6 +37,7 @@ selections: + - account_disable_post_pw_expiration + - account_emergency_expire_date + - account_temp_expire_date ++- account_unique_id + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay + - accounts_max_concurrent_login_sessions diff --git a/SOURCES/scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch b/SOURCES/scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch new file mode 100644 index 0000000..600dca6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch @@ -0,0 +1,80 @@ +From 86dad83f4e6c5b823882ec736d27410570f5b69a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 20 Aug 2021 16:03:33 +0200 +Subject: [PATCH] Add missing unit test playbook + +The playbook is used on +test-function-check_playbook_file_removed_and_added +--- + .../file_block_removed_and_not_added.yml | 62 +++++++++++++++++++ + 1 file changed, 62 insertions(+) + create mode 100644 tests/ansible_file_removed_and_added/file_block_removed_and_not_added.yml + +diff --git a/tests/ansible_file_removed_and_added/file_block_removed_and_not_added.yml b/tests/ansible_file_removed_and_added/file_block_removed_and_not_added.yml +new file mode 100644 +index 0000000000..8391d1bc99 +--- /dev/null ++++ b/tests/ansible_file_removed_and_added/file_block_removed_and_not_added.yml +@@ -0,0 +1,62 @@ ++--- ++ ++- hosts: all ++ vars: ++ var_system_crypto_policy: !!str FUTURE ++ var_sudo_logfile: !!str /var/log/sudo.log ++ ++ tasks: ++ - name: Modify the System Login Banner - add correct banner ++ lineinfile: ++ dest: /etc/issue ++ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$", ++ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", ++ "\n") | regex_replace("\\", "") | wordwrap() }}' ++ create: true ++ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] ++ tags: ++ - banner_etc_issue ++ - low_complexity ++ - medium_disruption ++ - medium_severity ++ - no_reboot_needed ++ - unknown_strategy ++ ++ - name: Test for existence /etc/issue ++ stat: ++ path: /etc/issue ++ register: file_exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - name: Ensure permission 0644 on /etc/issue ++ file: ++ path: /etc/issue ++ mode: '0644' ++ when: file_exists.stat is defined and file_exists.stat.exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - block: ++ - name: Remove Rsh Trust Files ++ file: ++ path: '/root/shosts.equiv' ++ state: absent ++ tags: ++ - high_severity ++ - low_complexity ++ - low_disruption ++ - no_reboot_needed ++ - no_rsh_trust_files ++ - restrict_strategy ++ diff --git a/SOURCES/scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch b/SOURCES/scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch new file mode 100644 index 0000000..2ada27b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch @@ -0,0 +1,179 @@ +From b814fc94d0fb360ef53a6b735e9520df5b484589 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 14 Jul 2021 12:52:13 -0500 +Subject: [PATCH 1/3] Add Jinja-based RHEL 8 minor check + +--- + shared/checks/oval/installed_OS_is_rhel8.xml | 29 ++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/shared/checks/oval/installed_OS_is_rhel8.xml b/shared/checks/oval/installed_OS_is_rhel8.xml +index a9699411ce7..fdd3c870d43 100644 +--- a/shared/checks/oval/installed_OS_is_rhel8.xml ++++ b/shared/checks/oval/installed_OS_is_rhel8.xml +@@ -44,6 +44,35 @@ + redhat-release + + ++ {{% for minorversion in range(0, 9) %}} ++ ++ ++ Red Hat Enterprise Linux 8.{{{ minorversion }}} ++ ++ Red Hat Enterprise Linux 8.{{{ minorversion }}} ++ ++ ++ The operating system installed on the system is Red Hat Enterprise Linux 8.{{{ minorversion}}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^8.{{{ minorversion }}}*$ ++ ++ ++ redhat-release ++ ++ {{% endfor %}} ++ + + + + +From d37d303654be74758c19615ef027b3bafa2d7217 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Wed, 14 Jul 2021 15:30:02 -0400 +Subject: [PATCH 2/3] Adding cpe's to product.yml + +--- + products/rhel8/product.yml | 45 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml +index 3278207fcb4..14336bfddf1 100644 +--- a/products/rhel8/product.yml ++++ b/products/rhel8/product.yml +@@ -27,6 +27,51 @@ cpes: + title: "Red Hat Enterprise Linux 8" + check_id: installed_OS_is_rhel8 + ++ - rhel8.0: ++ name: "cpe:/o:redhat:enterprise_linux:8.0" ++ title: "Red Hat Enterprise Linux 8.0" ++ check_id: installed_OS_is_rhel8_0 ++ ++ - rhel8.1: ++ name: "cpe:/o:redhat:enterprise_linux:8.1" ++ title: "Red Hat Enterprise Linux 8.1" ++ check_id: installed_OS_is_rhel8_1 ++ ++ - rhel8.2: ++ name: "cpe:/o:redhat:enterprise_linux:8.2" ++ title: "Red Hat Enterprise Linux 8.2" ++ check_id: installed_OS_is_rhel8_2 ++ ++ - rhel8.3: ++ name: "cpe:/o:redhat:enterprise_linux:8.3" ++ title: "Red Hat Enterprise Linux 8.3" ++ check_id: installed_OS_is_rhel8_3 ++ ++ - rhel8.4: ++ name: "cpe:/o:redhat:enterprise_linux:8.4" ++ title: "Red Hat Enterprise Linux 8.4" ++ check_id: installed_OS_is_rhel8_4 ++ ++ - rhel8.5: ++ name: "cpe:/o:redhat:enterprise_linux:8.5" ++ title: "Red Hat Enterprise Linux 8.5" ++ check_id: installed_OS_is_rhel8_5 ++ ++ - rhel8.6: ++ name: "cpe:/o:redhat:enterprise_linux:8.6" ++ title: "Red Hat Enterprise Linux 8.6" ++ check_id: installed_OS_is_rhel8_6 ++ ++ - rhel8.7: ++ name: "cpe:/o:redhat:enterprise_linux:8.7" ++ title: "Red Hat Enterprise Linux 8.7" ++ check_id: installed_OS_is_rhel8_7 ++ ++ - rhel8.8: ++ name: "cpe:/o:redhat:enterprise_linux:8.8" ++ title: "Red Hat Enterprise Linux 8.8" ++ check_id: installed_OS_is_rhel8_8 ++ + # Mapping of CPE platform to package + platform_package_overrides: + login_defs: "shadow-utils" + +From c4e4fd7b0449ba4655020fc0dc99ae3c4523b8cc Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Mon, 19 Jul 2021 08:12:34 -0500 +Subject: [PATCH 3/3] Add checks to go up to RHEL 8.10 + +This also makes the checks work. +--- + products/rhel8/product.yml | 10 ++++++++++ + shared/checks/oval/installed_OS_is_rhel8.xml | 10 +++++----- + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml +index 14336bfddf1..78c987b2457 100644 +--- a/products/rhel8/product.yml ++++ b/products/rhel8/product.yml +@@ -72,6 +72,16 @@ cpes: + title: "Red Hat Enterprise Linux 8.8" + check_id: installed_OS_is_rhel8_8 + ++ - rhel8.9: ++ name: "cpe:/o:redhat:enterprise_linux:8.9" ++ title: "Red Hat Enterprise Linux 8.9" ++ check_id: installed_OS_is_rhel8_9 ++ ++ - rhel8.10: ++ name: "cpe:/o:redhat:enterprise_linux:8.10" ++ title: "Red Hat Enterprise Linux 8.10" ++ check_id: installed_OS_is_rhel8_10 ++ + # Mapping of CPE platform to package + platform_package_overrides: + login_defs: "shadow-utils" +diff --git a/shared/checks/oval/installed_OS_is_rhel8.xml b/shared/checks/oval/installed_OS_is_rhel8.xml +index fdd3c870d43..feab963b941 100644 +--- a/shared/checks/oval/installed_OS_is_rhel8.xml ++++ b/shared/checks/oval/installed_OS_is_rhel8.xml +@@ -44,7 +44,7 @@ + redhat-release + + +- {{% for minorversion in range(0, 9) %}} ++ {{% for minorversion in range(0, 11) %}} + + + Red Hat Enterprise Linux 8.{{{ minorversion }}} +@@ -52,13 +52,13 @@ + Red Hat Enterprise Linux 8.{{{ minorversion }}} + + +- The operating system installed on the system is Red Hat Enterprise Linux 8.{{{ minorversion}}} ++ The operating system installed on the system is Red Hat Enterprise Linux 8.{{{ minorversion }}} + ++ ++ ++ + + +- +- +- + + diff --git a/SOURCES/scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch b/SOURCES/scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch new file mode 100644 index 0000000..2cfa6b0 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch @@ -0,0 +1,50 @@ +From 5d4726bb609f463956c03909891f8fbd1975d222 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 9 Aug 2021 14:00:19 +0200 +Subject: [PATCH] Add missing ansible remediation metadata + +--- + .../auditd_overflow_action/ansible/shared.yml | 4 ++++ + .../ansible/shared.yml | 4 ++++ + .../ansible/shared.yml | 4 ++++ + 3 files changed, 12 insertions(+) + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +index 166054a95a..e1569b2254 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +@@ -1,4 +1,8 @@ + # platform = multi_platform_fedora,multi_platform_rhel ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low + + {{{ ansible_set_config_file(file="/etc/audit/auditd.conf", + parameter="overflow_action", +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml +index 2d6c5227a8..bbd27a0061 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml +@@ -1,4 +1,8 @@ + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low + + {{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf", + parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ") +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml +index 2ddbfb871f..b215daaef4 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml +@@ -1,4 +1,8 @@ + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low + + {{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf", + parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ") diff --git a/SOURCES/scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch b/SOURCES/scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch new file mode 100644 index 0000000..1861433 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch @@ -0,0 +1,92 @@ +From 01397cbe2a62303ef001ab5e5821ffafd6929e41 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:46:22 +0100 +Subject: [PATCH] Update CCEs and identifiers on rules that make up RHEL 8 CIS + 4.1.15 + +--- + .../audit_rules_privileged_commands_insmod/rule.yml | 2 ++ + .../audit_rules_privileged_commands_modprobe/rule.yml | 2 ++ + .../audit_rules_privileged_commands_rmmod/rule.yml | 2 ++ + shared/references/cce-redhat-avail.txt | 3 --- + 4 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +index 5c3a99447c..a4ecb0d1e0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +@@ -28,10 +28,12 @@ severity: medium + + identifiers: + cce@rhel7: CCE-85851-4 ++ cce@rhel8: CCE-85919-9 + cce@sle15: CCE-85744-1 + + references: + cis@rhel7: 4.1.16 ++ cis@rhel8: 4.1.15 + cis@ubuntu2004: 4.1.16 + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +index 5e03dde851..f70c537064 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +@@ -32,10 +32,12 @@ severity: medium + + identifiers: + cce@rhel7: CCE-85853-0 ++ cce@rhel8: CCE-85973-6 + cce@sle15: CCE-85731-8 + + references: + cis@rhel7: 4.1.16 ++ cis@rhel8: 4.1.15 + cis@ubuntu2004: 4.1.16 + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist: AU-12(a),AU-12.1(ii),AU-3,AU-3.1,AU-12(c),AU-12.1(iv),MA-4(1)(a) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +index 1535041672..113c8fc4bc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +@@ -28,10 +28,12 @@ severity: medium + + identifiers: + cce@rhel7: CCE-85852-2 ++ cce@rhel8: CCE-86017-1 + cce@sle15: CCE-85732-6 + + references: + cis@rhel7: 4.1.16 ++ cis@rhel8: 4.1.15 + cis@ubuntu2004: 4.1.16 + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist@sle15: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 001262c6ee..aaa631515b 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -49,7 +49,6 @@ CCE-85915-7 + CCE-85916-5 + CCE-85917-3 + CCE-85918-1 +-CCE-85919-9 + CCE-85920-7 + CCE-85921-5 + CCE-85922-3 +@@ -100,7 +99,6 @@ CCE-85968-6 + CCE-85969-4 + CCE-85970-2 + CCE-85972-8 +-CCE-85973-6 + CCE-85974-4 + CCE-85975-1 + CCE-85976-9 +@@ -143,7 +141,6 @@ CCE-86013-0 + CCE-86014-8 + CCE-86015-5 + CCE-86016-3 +-CCE-86017-1 + CCE-86018-9 + CCE-86019-7 + CCE-86020-5 diff --git a/SOURCES/scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch b/SOURCES/scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch new file mode 100644 index 0000000..ac9eaca --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch @@ -0,0 +1,4578 @@ +From fdc04fed4ae88d0114540a524f5170b19e2b0d19 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 28 Apr 2021 17:17:23 +0200 +Subject: [PATCH 01/21] Enable audit rules in RHEL8 STIG. + +--- + .../audit_rules_execution_chacl/rule.yml | 2 +- + .../audit_rules_execution_setfacl/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 171 +++++++++++------- + 6 files changed, 110 insertions(+), 71 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +index 8c8b0cbda8..28125b692b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15,ubuntu2004 ++prodtype: rhel8,sle12,sle15,ubuntu2004 + + title: 'Record Any Attempts to Run chacl' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +index dcd62891f1..43fe86106c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15,ubuntu2004 ++prodtype: rhel8,sle12,sle15,ubuntu2004 + + title: 'Record Any Attempts to Run setfacl' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +index d2ff46792c..dbba6f8636 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15,ubuntu2004 ++prodtype: rhel8,sle12,sle15,ubuntu2004 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - kmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +index 58d0aef7a5..b9f68d0712 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15,ubuntu2004 ++prodtype: rhel8,sle12,sle15,ubuntu2004 + + title: 'Record Any Attempts to Run ssh-agent' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +index 6fa14649be..b4c8a8f2cb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15,ubuntu2004 ++prodtype: rhel8,sle12,sle15,ubuntu2004 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index f66b2a24a7..c3eee7fae0 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -652,167 +652,206 @@ selections: + # ************ # + + # RHEL-08-030121 +- # - audit_rules_immutable ++ - audit_rules_immutable + + # RHEL-08-030122 +- # - audit_immutable_login_uids ++ - audit_immutable_login_uids + + # RHEL-08-030130 +- # - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_shadow + + # RHEL-08-030140 +- # - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_opasswd + + # RHEL-08-030150 +- # - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_passwd + + # RHEL-08-030160 +- # - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_gshadow + + # RHEL-08-030170 +- # - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_group + +- # RHEL-08-030171, RHEL-08-030172 ++ # RHEL-08-030171 ++ # should be split + # - audit_rules_sysadmin_actions + ++ # RHEL-08-030172 ++ - audit_rules_sysadmin_actions ++ + # RHEL-08-030180 + - package_audit_installed + - service_auditd_enabled + + # RHEL-08-030190 +- # - audit_rules_privileged_commands_sudo ++ - audit_rules_privileged_commands_su ++ ++ # RHEL-08-030200 ++ - audit_rules_dac_modification_lremovexattr ++ ++ # RHEL-08-030210 ++ - audit_rules_dac_modification_removexattr ++ ++ # RHEL-08-030220 ++ - audit_rules_dac_modification_lsetxattr + +- # RHEL-08-030200, RHEL-08-030210, RHEL-08-030220, RHEL-08-030230, RHEL-08-030240 +- # - audit_perm_change_failed +- # - audit_perm_change_success ++ # RHEL-08-030230 ++ - audit_rules_dac_modification_fsetxattr ++ ++ # RHEL-08-030240 ++ - audit_rules_dac_modification_fremovexattr + + # RHEL-08-030250 +- # - audit_rules_privileged_commands_chage ++ - audit_rules_privileged_commands_chage + + # RHEL-08-030260 +- # - audit_rules_execution_chcon ++ - audit_rules_execution_chcon + + # RHEL-08-030270 +- # - audit_perm_change_failed +- # - audit_perm_change_success ++ - audit_rules_dac_modification_setxattr + + # RHEL-08-030280 ++ - audit_rules_privileged_commands_ssh_agent ++ ++ # RHEL-08-030290 ++ - audit_rules_privileged_commands_passwd + +- # RHEL-08-030290, RHEL-08-030300, RHEL-08-030301 +- # - audit_ospp_general ++ # RHEL-08-030300 ++ - audit_rules_privileged_commands_mount ++ ++ # RHEL-08-030301 ++ - audit_rules_privileged_commands_umount + + # RHEL-08-030302 +- # - audit_rules_media_export ++ - audit_rules_media_export + + # RHEL-08-030310 ++ # missing rule + + # RHEL-08-030311 +- # - audit_rules_privileged_commands_postdrop ++ - audit_rules_privileged_commands_postdrop + + # RHEL-08-030312 +- # - audit_rules_privileged_commands_postqueue ++ - audit_rules_privileged_commands_postqueue + + # RHEL-08-030313 +- # - audit_rules_execution_semanage ++ - audit_rules_execution_semanage + + # RHEL-08-030314 +- # - audit_rules_execution_setfiles ++ - audit_rules_execution_setfiles + + # RHEL-08-030315 +- # - audit_ospp_general ++ - audit_rules_privileged_commands_userhelper + + # RHEL-08-030316 +- # - audit_rules_execution_setsebool ++ - audit_rules_execution_setsebool + + # RHEL-08-030317 +- # - audit_ospp_general ++ - audit_rules_privileged_commands_unix_chkpwd + + # RHEL-08-030320 +- # - audit_rules_privileged_commands_ssh_keysign ++ - audit_rules_privileged_commands_ssh_keysign + + # RHEL-08-030330 ++ - audit_rules_execution_setfacl + + # RHEL-08-030340 +- # - audit_rules_privileged_commands_pam_timestamp_check ++ - audit_rules_privileged_commands_pam_timestamp_check + + # RHEL-08-030350 +- # - audit_ospp_general ++ - audit_rules_privileged_commands_newgrp + + # RHEL-08-030360 +- # - audit_module_load ++ - audit_rules_kernel_module_loading_init ++ ++ # RHEL-08-030361 ++ - audit_rules_file_deletion_events_rename + +- # RHEL-08-030361, RHEL-08-030362 +- # - audit_delete_failed +- # - audit_delete_success ++ # RHEL-08-030362 ++ - audit_rules_file_deletion_events_renameat + + # RHEL-08-030363 ++ - audit_rules_file_deletion_events_rmdir + +- # RHEL-08-030364, RHEL-08-030365 +- # - audit_delete_failed +- # - audit_delete_success ++ # RHEL-08-030364 ++ - audit_rules_file_deletion_events_unlink ++ ++ # RHEL-08-030365 ++ - audit_rules_file_deletion_events_unlinkat + + # RHEL-08-030370 +- # - audit_ospp_general ++ - audit_rules_privileged_commands_gpasswd ++ ++ # RHEL-08-030380 ++ - audit_rules_kernel_module_loading_finit + +- # RHEL-08-030380, RHEL-08-030390 +- # - audit_module_load ++ # RHEL-08-030390 ++ - audit_rules_kernel_module_loading_delete + + # RHEL-08-030400 +- # - audit_ospp_general ++ - audit_rules_privileged_commands_crontab + + # RHEL-08-030410 +- # - audit_rules_privileged_commands_chsh ++ - audit_rules_privileged_commands_chsh + + # RHEL-08-030420 +- # - audit_modify_failed +- # - audit_modify_success ++ - audit_rules_unsuccessful_file_modification_truncate ++ ++ # RHEL-08-030430 ++ - audit_rules_unsuccessful_file_modification_openat ++ ++ # RHEL-08-030440 ++ - audit_rules_unsuccessful_file_modification_open + +- # RHEL-08-030430, RHEL-08-030440, RHEL-08-030450 +- # - audit_create_failed +- # - audit_create_success +- # - audit_modify_failed +- # - audit_modify_success +- # - audit_access_failed +- # - audit_access_success ++ # RHEL-08-030450 ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at + + # RHEL-08-030460 +- # - audit_modify_failed +- # - audit_modify_success ++ - audit_rules_unsuccessful_file_modification_ftruncate + + # RHEL-08-030470 +- # - audit_create_failed +- # - audit_create_success ++ - audit_rules_unsuccessful_file_modification_creat + + # RHEL-08-030480 +- # - audit_owner_change_failed +- # - audit_owner_change_success ++ - audit_rules_dac_modification_chown + + # RHEL-08-030490 +- # - audit_perm_change_failed +- # - audit_perm_change_success ++ - audit_rules_dac_modification_chmod ++ ++ # RHEL-08-030500 ++ - audit_rules_dac_modification_lchown ++ ++ # RHEL-08-030510 ++ - audit_rules_dac_modification_fchownat ++ ++ # RHEL-08-030520 ++ - audit_rules_dac_modification_fchown + +- # RHEL-08-030500, RHEL-08-030510, RHEL-08-030520 +- # - audit_owner_change_failed +- # - audit_owner_change_success ++ # RHEL-08-030530 ++ - audit_rules_dac_modification_fchmodat + +- # RHEL-08-030530, RHEL-08-030540 +- # - audit_perm_change_failed +- # - audit_perm_change_success ++ # RHEL-08-030540 ++ - audit_rules_dac_modification_fchmod + + # RHEL-08-030550 +- # - audit_rules_privileged_commands_sudo ++ - audit_rules_privileged_commands_sudo + + # RHEL-08-030560 ++ - audit_rules_privileged_commands_usermod + + # RHEL-08-030570 ++ - audit_rules_execution_chacl + + # RHEL-08-030580 ++ - audit_rules_privileged_commands_kmod + + # RHEL-08-030590 ++ # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be ++ # implemented as it is the one that configures a different patch for the events of failing locks + # - audit_rules_login_events_faillock + + # RHEL-08-030600 +- # - audit_rules_login_events_lastlog ++ - audit_rules_login_events_lastlog + + # RHEL-08-030601 + - grub2_audit_argument + +From e88a8ad0bece18a8b7dcd350af9706134c827458 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 28 Apr 2021 18:00:18 +0200 +Subject: [PATCH 02/21] Update audit template to include perm=x for binaries. + +--- + .../audit_rules_privileged_commands/ansible.template | 2 +- + .../templates/audit_rules_privileged_commands/bash.template | 2 +- + .../templates/audit_rules_privileged_commands/oval.template | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template +index 0a0f06fba2..ec7b7d7605 100644 +--- a/shared/templates/audit_rules_privileged_commands/ansible.template ++++ b/shared/templates/audit_rules_privileged_commands/ansible.template +@@ -26,7 +26,7 @@ + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" + when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 + +-{{% if product in ["sle12", "sle15"] %}} ++{{% if product in ["rhel8", "sle12", "sle15"] %}} + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d + lineinfile: +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index 85dbc9b828..100a4770bf 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -7,7 +7,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" + GROUP="privileged" + # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation + ARCH="" +-FULL_RULE="-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged" ++FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template +index c68df7671f..151a9d5d47 100644 +--- a/shared/templates/audit_rules_privileged_commands/oval.template ++++ b/shared/templates/audit_rules_privileged_commands/oval.template +@@ -23,7 +23,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +-{{% if product in ["sle12", "sle15"] %}} ++{{% if product in ["rhel8", "sle12", "sle15"] %}} + ^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +@@ -36,7 +36,7 @@ +
+ + /etc/audit/audit.rules +-{{% if product in ["sle12", "sle15"] %}} ++{{% if product in ["rhel8", "sle12", "sle15"] %}} + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + {{% else %}} + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + +From 78134285266b3d559d8eb89d9dd4b68d37de7a26 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 28 Apr 2021 18:01:57 +0200 +Subject: [PATCH 03/21] Remove remediation that copies entire ospp audit rules + file. + +--- + .../bash/shared.sh | 6 ------ + .../bash/shared.sh | 6 ------ + .../bash/shared.sh | 6 ------ + 3 files changed, 18 deletions(-) + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh +deleted file mode 100644 +index c93a8d8805..0000000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/bash/shared.sh ++++ /dev/null +@@ -1,6 +0,0 @@ +-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux +-# +-# Include source function library. +-. /usr/share/scap-security-guide/remediation_functions +- +-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh +deleted file mode 100644 +index c93a8d8805..0000000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/bash/shared.sh ++++ /dev/null +@@ -1,6 +0,0 @@ +-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux +-# +-# Include source function library. +-. /usr/share/scap-security-guide/remediation_functions +- +-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh +deleted file mode 100644 +index 1e021c4f80..0000000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/bash/shared.sh ++++ /dev/null +@@ -1,6 +0,0 @@ +-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel +-# +-# Include source function library. +-. /usr/share/scap-security-guide/remediation_functions +- +-create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules + +From e6cb5c196e18d9dddf4c1754a438e4a6b8f8b214 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 28 Apr 2021 18:02:46 +0200 +Subject: [PATCH 04/21] Use audit template in kmod privileged command. + +Make SLE content specific to their product. +--- + .../ansible/{shared.yml => sle12.yml} | 0 + .../ansible/sle15.yml | 42 +++++++++++++++++++ + .../oval/{shared.xml => sle12.xml} | 0 + .../oval/sle15.xml | 39 +++++++++++++++++ + .../rule.yml | 5 +++ + 5 files changed, 86 insertions(+) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/{shared.yml => sle12.yml} (100%) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/{shared.xml => sle12.xml} (100%) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/shared.yml +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle12.yml +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml +new file mode 100644 +index 0000000000..6d128bc207 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/ansible/sle15.yml +@@ -0,0 +1,42 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Service facts ++ service_facts: ++ ++- name: Check the rules script being used ++ command: ++ grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service ++ register: check_rules_scripts_result ++ ++- name: Update kmod in /etc/audit/rules.d/audit.rules ++ lineinfile: ++ path: /etc/audit/rules.d/audit.rules ++ line: '-w /usr/bin/kmod -p x -k modules' ++ create: yes ++ when: ++ - '"auditd.service" in ansible_facts.services' ++ - '"augenrules" in check_rules_scripts_result.stdout' ++ register: augenrules_audit_rules_kmod_update_result ++ ++- name: Update kmod in /etc/audit/audit.rules ++ lineinfile: ++ path: /etc/audit/audit.rules ++ line: '-w /usr/bin/kmod -p x -k modules' ++ create: yes ++ when: ++ - '"auditd.service" in ansible_facts.services' ++ - '"auditctl" in check_rules_scripts_result.stdout' ++ register: auditctl_audit_rules_kmod_update_result ++ ++- name: Restart auditd.service ++ systemd: ++ name: auditd.service ++ state: restarted ++ when: ++ - (augenrules_audit_rules_kmod_update_result.changed or ++ auditctl_audit_rules_kmod_update_result.changed) ++ - ansible_facts.services["auditd.service"].state == "running" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/shared.xml +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle12.xml +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml +new file mode 100644 +index 0000000000..4fb3d2fc1c +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/oval/sle15.xml +@@ -0,0 +1,39 @@ ++ ++ ++ {{{ oval_metadata("Ensure audit rule for all uses of the kmod command is enabled.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-w[\s]+/usr/bin/kmod[\s]+-p[\s]+x[\s]+-k[\s]+modules[\s]*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +index dbba6f8636..168d5c51fc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +@@ -53,3 +53,8 @@ ocil: |- + return a line, or the line is commented out, this is a finding. + + platform: machine ++ ++template: ++ name: audit_rules_privileged_commands ++ vars: ++ path: /usr/bin/kmod + +From 12e793f8340a48418214e73e05248e259c7d16b5 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 28 Apr 2021 18:56:03 +0200 +Subject: [PATCH 05/21] Extend audit_rules_dac_modification to support auid=0 + checking. + +--- + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../bash.template | 16 +++++- + .../oval.template | 53 +++++++++++++++++++ + .../audit_rules_dac_modification/template.py | 7 +++ + 9 files changed, 81 insertions(+), 1 deletion(-) + create mode 100644 shared/templates/audit_rules_dac_modification/template.py + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index d5ff634e95..294a7ebfd2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -78,3 +78,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: fremovexattr ++ check_root_user: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 034a22a987..9b01a07515 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -73,3 +73,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: fsetxattr ++ check_root_user: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index 2245a13e11..577af632aa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -78,3 +78,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: lremovexattr ++ check_root_user: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index 6218e6fc10..d6be12af63 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -71,3 +71,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: lsetxattr ++ check_root_user: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index 6565d3fcc2..982d6d377c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -77,3 +77,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: removexattr ++ check_root_user: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 7babe9d2a7..71c31e2d15 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -73,3 +73,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: setxattr ++ check_root_user: "true" +diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template +index f0d3b6978a..a10a9145b2 100644 +--- a/shared/templates/audit_rules_dac_modification/bash.template ++++ b/shared/templates/audit_rules_dac_modification/bash.template +@@ -9,7 +9,7 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}}.*" ++ PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" + +@@ -17,3 +17,17 @@ do + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + done ++ ++ ++{{% if CHECK_ROOT_USER %}} ++for ARCH in "${RULE_ARCHS[@]}" ++do ++ PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*" ++ GROUP="perm_mod" ++ FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" ++ ++ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++done ++{{% endif %}} +diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template +index 5b1bf5dc6d..6e02cc7f09 100644 +--- a/shared/templates/audit_rules_dac_modification/oval.template ++++ b/shared/templates/audit_rules_dac_modification/oval.template +@@ -7,11 +7,19 @@ + + + ++{{% if CHECK_ROOT_USER %}} ++ ++{{% endif %}} ++ + + + + + ++{{% if CHECK_ROOT_USER %}} ++ ++{{% endif %}} ++ + + + +@@ -19,11 +27,17 @@ + + + ++{{% if CHECK_ROOT_USER %}} ++ ++{{% endif %}} + + + + + ++{{% if CHECK_ROOT_USER %}} ++ ++{{% endif %}} + + + +@@ -66,4 +80,43 @@ + 1 + + ++{{% if CHECK_ROOT_USER %}} ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++{{% endif %}} ++ + +diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py +new file mode 100644 +index 0000000000..e12e9c27e5 +--- /dev/null ++++ b/shared/templates/audit_rules_dac_modification/template.py +@@ -0,0 +1,7 @@ ++from ssg.utils import parse_template_boolean_value ++ ++ ++def preprocess(data, lang): ++ data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False) ++ ++ return data + +From af8b663e00889010ac4d99fb0988aacf6b3ce651 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 17 May 2021 18:07:30 +0200 +Subject: [PATCH 06/21] Simplify perm=x code around + audit_rules_privileged_commands template. + +Also change the OVAL check regex to make it mandatory by removing the ? +character from the regex. +--- + .../oval.template | 4 +-- + .../ansible.template | 26 ++++--------------- + .../bash.template | 5 +++- + .../oval.template | 15 ++++------- + 4 files changed, 16 insertions(+), 34 deletions(-) + +diff --git a/shared/templates/audit_rules_dac_modification/oval.template b/shared/templates/audit_rules_dac_modification/oval.template +index 6e02cc7f09..8f30bef022 100644 +--- a/shared/templates/audit_rules_dac_modification/oval.template ++++ b/shared/templates/audit_rules_dac_modification/oval.template +@@ -10,14 +10,14 @@ + {{% if CHECK_ROOT_USER %}} + + {{% endif %}} +- ++ + + + + + + {{% if CHECK_ROOT_USER %}} +- ++ + {{% endif %}} + + +diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template +index ec7b7d7605..a245de6673 100644 +--- a/shared/templates/audit_rules_privileged_commands/ansible.template ++++ b/shared/templates/audit_rules_privileged_commands/ansible.template +@@ -1,3 +1,6 @@ ++{{%- if product in ["rhel8", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = false + # strategy = restrict +@@ -26,12 +29,11 @@ + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" + when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 + +-{{% if product in ["rhel8", "sle12", "sle15"] %}} + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d + lineinfile: + path: "{{ all_files[0] }}" +- line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' ++ line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' + create: yes + + # Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules +@@ -39,23 +41,5 @@ + - name: Inserts/replaces the {{{ NAME }}} rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules +- line: '-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' ++ line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' + create: yes +- +-{{% else %}} +- +-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d +- lineinfile: +- path: "{{ all_files[0] }}" +- line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' +- create: yes +- +-# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules +- +-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged' +- create: yes +- +-{{% endif %}} +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index 100a4770bf..2b3795674f 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -1,3 +1,6 @@ ++{{%- if product in ["rhel8", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. +@@ -7,7 +10,7 @@ PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" + GROUP="privileged" + # Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation + ARCH="" +-FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ "-F perm=x " if product in ["rhel8"]}}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" ++FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template +index 151a9d5d47..8e3919ca66 100644 +--- a/shared/templates/audit_rules_privileged_commands/oval.template ++++ b/shared/templates/audit_rules_privileged_commands/oval.template +@@ -1,3 +1,6 @@ ++{{%- if product in ["rhel8", "sle12", "sle15"] %}} ++ {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} ++{{%- endif %}} + + + {{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}} +@@ -23,11 +26,7 @@ +
+ + ^/etc/audit/rules\.d/.*\.rules$ +-{{% if product in ["rhel8", "sle12", "sle15"] %}} +- ^[\s]*-a[\s]+always,exit[\s]+(-S[\s]+all[\s]+)*-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +-{{% else %}} +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +-{{% endif %}} ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + +@@ -36,11 +35,7 @@ + + + /etc/audit/audit.rules +-{{% if product in ["rhel8", "sle12", "sle15"] %}} +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}(?:[\s]+-F[\s]+perm=x)?[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +-{{% else %}} +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +-{{% endif %}} ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + +From 4cf80fd7eff49d6e14852947e76a302ca2993db7 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 30 Jul 2021 15:04:14 +0200 +Subject: [PATCH 07/21] Fix audit bash remediation to remove the auid!=unset + when using auid=0. + +--- + shared/templates/audit_rules_dac_modification/bash.template | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template +index a10a9145b2..d64d264635 100644 +--- a/shared/templates/audit_rules_dac_modification/bash.template ++++ b/shared/templates/audit_rules_dac_modification/bash.template +@@ -24,7 +24,7 @@ for ARCH in "${RULE_ARCHS[@]}" + do + PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*" + GROUP="perm_mod" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" ++ FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +From 0833b43bfa039c4ee661049fb25b86ef3854b614 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 30 Jul 2021 15:04:55 +0200 +Subject: [PATCH 08/21] Update audit_rules_dac_modification ansible remediation + with auid=0 fix. + +--- + .../ansible.template | 36 +++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template +index 70101ca777..d048978456 100644 +--- a/shared/templates/audit_rules_dac_modification/ansible.template ++++ b/shared/templates/audit_rules_dac_modification/ansible.template +@@ -40,12 +40,29 @@ + line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" + create: yes + ++{{%- if CHECK_ROOT_USER %}} ++- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" ++ create: yes ++{{%- endif %}} ++ + - name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64 + lineinfile: + path: "{{ all_files[0] }}" + line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" + create: yes + when: audit_arch is defined and audit_arch == 'b64' ++ ++{{%- if CHECK_ROOT_USER %}} ++- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" ++ create: yes ++ when: audit_arch is defined and audit_arch == 'b64' ++{{%- endif %}} + # + # Inserts/replaces the rule in /etc/audit/audit.rules + # +@@ -56,6 +73,15 @@ + dest: /etc/audit/audit.rules + create: yes + ++{{%- if CHECK_ROOT_USER %}} ++- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86 ++ lineinfile: ++ line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++{{%- endif %}} ++ + - name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64 + lineinfile: + line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" +@@ -63,3 +89,13 @@ + dest: /etc/audit/audit.rules + create: yes + when: audit_arch is defined and audit_arch == 'b64' ++ ++{{%- if CHECK_ROOT_USER %}} ++- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64 ++ lineinfile: ++ line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ when: audit_arch is defined and audit_arch == 'b64' ++{{%- endif %}} + +From 314251db8fbff07ac4b796944381f9bb1eef05c2 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 30 Jul 2021 15:05:42 +0200 +Subject: [PATCH 09/21] Update audit_rules_dac_modification rules description. + +Make the check_user_root template parameter only applicable to RHEL8. +--- + .../rule.yml | 14 +++++++++++++- + .../rule.yml | 14 +++++++++++++- + .../rule.yml | 14 +++++++++++++- + .../rule.yml | 14 +++++++++++++- + .../rule.yml | 14 +++++++++++++- + .../audit_rules_dac_modification_setxattr/rule.yml | 14 +++++++++++++- + 6 files changed, 78 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index 294a7ebfd2..e1a2492c4c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -11,17 +11,29 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + + rationale: |- + The changing of file permissions could indicate that a user is attempting to +@@ -78,4 +90,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: fremovexattr +- check_root_user: "true" ++ check_root_user@rhel8: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 9b01a07515..4c27cbf7fb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -9,14 +9,26 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + + rationale: |- + The changing of file permissions could indicate that a user is attempting to +@@ -73,4 +85,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: fsetxattr +- check_root_user: "true" ++ check_root_user@rhel8: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index 577af632aa..ad034bc570 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -11,17 +11,29 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + + rationale: |- + The changing of file permissions could indicate that a user is attempting to +@@ -78,4 +90,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: lremovexattr +- check_root_user: "true" ++ check_root_user@rhel8: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index d6be12af63..a3895bd4c7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -9,14 +9,26 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + + rationale: |- + The changing of file permissions could indicate that a user is attempting to +@@ -71,4 +83,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: lsetxattr +- check_root_user: "true" ++ check_root_user@rhel8: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index 982d6d377c..eee86b99de 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -10,17 +10,29 @@ description: |- + program to read audit rules during daemon startup (the default), add the + following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + + rationale: |- + The changing of file permissions could indicate that a user is attempting to +@@ -77,4 +89,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: removexattr +- check_root_user: "true" ++ check_root_user@rhel8: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 71c31e2d15..4a90ed9f96 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -9,14 +9,26 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
++{{%- if product in ["rhel8"] %}} ++
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
++{{%- endif %}} + + rationale: |- + The changing of file permissions could indicate that a user is attempting to +@@ -73,4 +85,4 @@ template: + name: audit_rules_dac_modification + vars: + attr: setxattr +- check_root_user: "true" ++ check_root_user@rhel8: "true" + +From 48ce4b6e4803f92291c44acc990bd6a61baf4128 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 30 Jul 2021 16:54:48 +0200 +Subject: [PATCH 10/21] Remove rule that is selected twice in RHEL8 STIG + profile. + +It's already part of the following STIG id: + # RHEL-08-010560 + - service_auditd_enabled +--- + products/rhel8/profiles/stig.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index c3eee7fae0..3cbb4796ac 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -681,7 +681,6 @@ selections: + + # RHEL-08-030180 + - package_audit_installed +- - service_auditd_enabled + + # RHEL-08-030190 + - audit_rules_privileged_commands_su + +From 7f23cee71a3fc1791b26c4e59339d73063fe867e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 2 Aug 2021 15:36:55 +0200 +Subject: [PATCH 11/21] Fix RHEL8 STIG id references in audit rules. + +--- + .../audit_rules_dac_modification_chmod/rule.yml | 3 ++- + .../audit_rules_dac_modification_chown/rule.yml | 3 ++- + .../audit_rules_dac_modification_fchmod/rule.yml | 3 ++- + .../audit_rules_dac_modification_fchmodat/rule.yml | 3 ++- + .../audit_rules_dac_modification_fchown/rule.yml | 3 ++- + .../audit_rules_dac_modification_fchownat/rule.yml | 3 ++- + .../audit_rules_dac_modification_fremovexattr/rule.yml | 3 ++- + .../audit_rules_dac_modification_fsetxattr/rule.yml | 3 ++- + .../audit_rules_dac_modification_lchown/rule.yml | 3 ++- + .../audit_rules_dac_modification_lremovexattr/rule.yml | 3 ++- + .../audit_rules_dac_modification_lsetxattr/rule.yml | 3 ++- + .../audit_rules_dac_modification_removexattr/rule.yml | 5 +++-- + .../audit_rules_dac_modification_setxattr/rule.yml | 3 ++- + .../audit_rules_execution_chacl/rule.yml | 4 +++- + .../audit_rules_execution_setfacl/rule.yml | 4 +++- + .../audit_rules_execution_chcon/rule.yml | 3 ++- + .../audit_rules_execution_semanage/rule.yml | 5 +++-- + .../audit_rules_execution_setfiles/rule.yml | 5 +++-- + .../audit_rules_execution_setsebool/rule.yml | 5 +++-- + .../audit_rules_file_deletion_events_rename/rule.yml | 5 +++-- + .../audit_rules_file_deletion_events_renameat/rule.yml | 5 +++-- + .../audit_rules_file_deletion_events_rmdir/rule.yml | 5 +++-- + .../audit_rules_file_deletion_events_unlink/rule.yml | 5 +++-- + .../audit_rules_file_deletion_events_unlinkat/rule.yml | 5 +++-- + .../rule.yml | 3 ++- + .../rule.yml | 3 ++- + .../rule.yml | 3 ++- + .../rule.yml | 3 ++- + .../rule.yml | 3 ++- + .../rule.yml | 5 +++-- + .../audit_rules_kernel_module_loading_delete/rule.yml | 3 ++- + .../audit_rules_kernel_module_loading_finit/rule.yml | 3 ++- + .../audit_rules_kernel_module_loading_init/rule.yml | 3 ++- + .../audit_rules_login_events_lastlog/rule.yml | 4 ++-- + .../audit_rules_privileged_commands_chage/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_chsh/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_crontab/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_gpasswd/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_kmod/rule.yml | 4 +++- + .../audit_rules_privileged_commands_mount/rule.yml | 1 + + .../audit_rules_privileged_commands_newgrp/rule.yml | 5 +++-- + .../rule.yml | 5 +++-- + .../audit_rules_privileged_commands_passwd/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_postdrop/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_postqueue/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_ssh_agent/rule.yml | 6 ++++-- + .../audit_rules_privileged_commands_ssh_keysign/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_su/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_sudo/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_umount/rule.yml | 1 + + .../audit_rules_privileged_commands_unix_chkpwd/rule.yml | 3 ++- + .../audit_rules_privileged_commands_userhelper/rule.yml | 5 +++-- + .../audit_rules_privileged_commands_usermod/rule.yml | 4 +++- + .../auditd_configure_rules/audit_rules_immutable/rule.yml | 2 ++ + .../audit_rules_media_export/rule.yml | 5 +++-- + .../audit_rules_sysadmin_actions/rule.yml | 2 +- + .../audit_rules_usergroup_modification_group/rule.yml | 4 ++-- + .../audit_rules_usergroup_modification_gshadow/rule.yml | 4 ++-- + .../audit_rules_usergroup_modification_opasswd/rule.yml | 4 ++-- + .../audit_rules_usergroup_modification_passwd/rule.yml | 4 ++-- + .../audit_rules_usergroup_modification_shadow/rule.yml | 4 ++-- + .../guide/system/auditing/grub2_audit_argument/rule.yml | 2 +- + .../policy_rules/audit_immutable_login_uids/rule.yml | 3 ++- + products/rhel8/profiles/stig.profile | 2 +- + shared/references/cce-redhat-avail.txt | 5 ----- + 65 files changed, 153 insertions(+), 97 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index 4cb9bb5cf4..bc3e47523f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -52,9 +52,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 + stigid@ol7: OL07-00-030410 + stigid@rhel7: RHEL-07-030410 ++ stigid@rhel8: RHEL-08-030490 + stigid@sle12: SLES-12-020460 + stigid@sle15: SLES-15-030290 + stigid@ubuntu2004: UBTU-20-010152 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +index cbac49dd12..6b3236cf95 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +@@ -52,9 +52,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030370 + stigid@rhel7: RHEL-07-030370 ++ stigid@rhel8: RHEL-08-030480 + stigid@sle12: SLES-12-020420 + stigid@sle15: SLES-15-030250 + stigid@ubuntu2004: UBTU-20-010148 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index 81f2f067ba..ed4d88cb0c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -52,9 +52,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 + stigid@ol7: OL07-00-030420 + stigid@rhel7: RHEL-07-030420 ++ stigid@rhel8: RHEL-08-030540 + stigid@sle12: SLES-12-020470 + stigid@sle15: SLES-15-030300 + stigid@ubuntu2004: UBTU-20-010153 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index 7fcf1c7ef1..2db3878939 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -52,9 +52,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 + stigid@ol7: OL07-00-030430 + stigid@rhel7: RHEL-07-030430 ++ stigid@rhel8: RHEL-08-030530 + stigid@sle12: SLES-12-020480 + stigid@sle15: SLES-12-030310 + stigid@ubuntu2004: UBTU-20-010154 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index d696862377..37dfb89ef2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -55,9 +55,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030380 + stigid@rhel7: RHEL-07-030380 ++ stigid@rhel8: RHEL-08-030520 + stigid@sle12: SLES-12-020430 + stigid@sle15: SLES-15-030260 + stigid@ubuntu2004: UBTU-20-010149 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index 0213d78fbc..f75ac769d8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -52,9 +52,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030400 + stigid@rhel7: RHEL-07-030400 ++ stigid@rhel8: RHEL-08-030510 + stigid@sle12: SLES-12-020450 + stigid@sle15: SLES-15-030280 + stigid@ubuntu2004: UBTU-20-010150 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index e1a2492c4c..d46968da8f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -69,9 +69,10 @@ references: + nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030480 + stigid@rhel7: RHEL-07-030480 ++ stigid@rhel8: RHEL-08-030240 + stigid@sle12: SLES-12-020410 + stigid@sle15: SLES-15-030210 + stigid@ubuntu2004: UBTU-20-010147 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 4c27cbf7fb..564daccaed 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -64,9 +64,10 @@ references: + nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030450 + stigid@rhel7: RHEL-07-030450 ++ stigid@rhel8: RHEL-08-030230 + stigid@sle12: SLES-12-020380 + stigid@sle15: SLES-15-030230 + stigid@ubuntu2004: UBTU-20-010144 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index 6e2432f309..edc053bfb3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -52,9 +52,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030390 + stigid@rhel7: RHEL-07-030390 ++ stigid@rhel8: RHEL-08-030500 + stigid@sle12: SLES-12-020440 + stigid@sle15: SLES-15-030270 + stigid@ubuntu2004: UBTU-20-010151 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index ad034bc570..2ae0f11c58 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -69,9 +69,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030490 + stigid@rhel7: RHEL-07-030490 ++ stigid@rhel8: RHEL-08-030200 + stigid@sle12: SLES-12-020400 + stigid@sle15: SLES-15-030200 + stigid@ubuntu2004: UBTU-20-010146 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index a3895bd4c7..945ad560d7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -63,9 +63,10 @@ references: + nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030460 + stigid@rhel7: RHEL-07-030460 ++ stigid@rhel8: RHEL-08-030220 + stigid@sle15: SLES-15-030240 + stigid@ubuntu2004: UBTU-20-010143 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index eee86b99de..e6d7374b7f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -17,7 +17,7 @@ description: |- + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+ {{%- if product in ["rhel8"] %}} +-
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
++
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+ If the auditd daemon is configured to use the auditctl +@@ -68,9 +68,10 @@ references: + nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000466-GPOS-00210,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030470 + stigid@rhel7: RHEL-07-030470 ++ stigid@rhel8: RHEL-08-030210 + stigid@sle12: SLES-12-020390 + stigid@sle15: SLES-15-030190 + stigid@ubuntu2004: UBTU-20-010145 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 4a90ed9f96..ab15167508 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -64,9 +64,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203 + stigid@ol7: OL07-00-030440 + stigid@rhel7: RHEL-07-030440 ++ stigid@rhel8: RHEL-08-030270 + stigid@sle12: SLES-12-020370 + stigid@sle15: SLES-15-030220 + stigid@ubuntu2004: UBTU-20-010142 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +index 28125b692b..0c71e4ac24 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +@@ -27,13 +27,15 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-89446-9 + cce@sle12: CCE-83190-9 + cce@sle15: CCE-85595-7 + + references: + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 ++ stigid@rhel8: RHEL-08-030570 + stigid@sle12: SLES-12-020620 + stigid@sle15: SLES-15-030440 + stigid@ubuntu2004: UBTU-20-010168 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +index 43fe86106c..89c134a0fa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +@@ -27,13 +27,15 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-88437-9 + cce@sle12: CCE-83189-1 + cce@sle15: CCE-85594-0 + + references: + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ stigid@rhel8: RHEL-08-030330 + stigid@sle12: SLES-12-020610 + stigid@sle15: SLES-15-030430 + stigid@ubuntu2004: UBTU-20-010167 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +index b50e27b810..0c6781c7d5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +@@ -60,9 +60,10 @@ references: + nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) + nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii)AU-12.1(iv),MA-4(1)(a) + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + stigid@ol7: OL07-00-030580 + stigid@rhel7: RHEL-07-030580 ++ stigid@rhel8: RHEL-08-030260 + stigid@sle12: SLES-12-020630 + stigid@sle15: SLES-15-030450 + stigid@ubuntu2004: UBTU-20-010165 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +index 2ad3b555b5..b609c3dfc2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +@@ -40,7 +40,7 @@ references: + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -49,9 +49,10 @@ references: + nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + stigid@ol7: OL07-00-030560 + stigid@rhel7: RHEL-07-030560 ++ stigid@rhel8: RHEL-08-030313 + vmmsrg: SRG-OS-000463-VMM-001850 + + ocil: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +index eb8bd19edb..9de7407f4c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +@@ -37,11 +37,12 @@ identifiers: + cce@rhel9: CCE-83736-9 + + references: +- disa: CCI-000172,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-002884 + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) +- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + stigid@ol7: OL07-00-030590 + stigid@rhel7: RHEL-07-030590 ++ stigid@rhel8: RHEL-08-030314 + vmmsrg: SRG-OS-000463-VMM-001850 + + ocil: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +index 5544175f39..23504bab4a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +@@ -40,7 +40,7 @@ references: + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -48,9 +48,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 + stigid@ol7: OL07-00-030570 + stigid@rhel7: RHEL-07-030570 ++ stigid@rhel8: RHEL-08-030316 + vmmsrg: SRG-OS-000463-VMM-001850 + + ocil: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +index fe72f59697..9dd83f6dba 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +@@ -37,7 +37,7 @@ references: + cis@ubuntu2004: 4.1.13 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-000366,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -46,9 +46,10 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030880 + stigid@rhel7: RHEL-07-030880 ++ stigid@rhel8: RHEL-08-030361 + stigid@ubuntu2004: UBTU-20-010269 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +index 3508352514..cd9aa9f5e6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +@@ -37,7 +37,7 @@ references: + cis@ubuntu2004: 4.1.13 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-000366,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -46,9 +46,10 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030890 + stigid@rhel7: RHEL-07-030890 ++ stigid@rhel8: RHEL-08-030362 + stigid@ubuntu2004: UBTU-20-010270 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +index 994cf0e087..6e0bb755b0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +@@ -36,7 +36,7 @@ references: + cis@rhel8: 4.1.14 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-000366,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -45,9 +45,10 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030900 + stigid@rhel7: RHEL-07-030900 ++ stigid@rhel8: RHEL-08-030363 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 + + {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +index 330221f9c6..be4e328b7c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +@@ -37,7 +37,7 @@ references: + cis@ubuntu2004: 4.1.13 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-000366,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -46,9 +46,10 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030910 + stigid@rhel7: RHEL-07-030910 ++ stigid@rhel8: RHEL-08-030364 + stigid@ubuntu2004: UBTU-20-010267 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +index 14ef50bb2b..eaf8f1e08b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +@@ -37,7 +37,7 @@ references: + cis@ubuntu2004: 4.1.13 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-000366,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-000366,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -46,9 +46,10 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030920 + stigid@rhel7: RHEL-07-030920 ++ stigid@rhel8: RHEL-08-030365 + stigid@ubuntu2004: UBTU-20-010268 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index d793c73d87..08cc99133a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -57,9 +57,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030500 + stigid@rhel7: RHEL-07-030500 ++ stigid@rhel8: RHEL-08-030470 + stigid@sle12: SLES-12-020520 + stigid@sle15: SLES-15-030160 + stigid@ubuntu2004: UBTU-20-010158 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index e8990ac8c0..e9b688b9b4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -60,9 +60,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030550 + stigid@rhel7: RHEL-07-030550 ++ stigid@rhel8: RHEL-08-030460 + stigid@sle12: SLES-12-020510 + stigid@sle15: SLES-15-030320 + stigid@ubuntu2004: UBTU-20-010157 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 8324307284..6e24227007 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -60,9 +60,10 @@ references: + nist@sle15: AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),AU-3,AU-3.1,MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030510 + stigid@rhel7: RHEL-07-030510 ++ stigid@rhel8: RHEL-08-030440 + stigid@sle12: SLES-12-020490 + stigid@sle15: SLES-15-030150 + stigid@ubuntu2004: UBTU-20-010155 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index f83c285dd2..2b6008fce1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -56,9 +56,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(c),AU-12.1(iv),AU-12(a),AU-12.1(ii),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030530 + stigid@rhel7: RHEL-07-030530 ++ stigid@rhel8: RHEL-08-030450 + stigid@sle12: SLES-12-020540 + stigid@sle15: SLES-15-030180 + stigid@ubuntu2004: UBTU-20-010160 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index 15311727d6..308e3da789 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -60,9 +60,10 @@ references: + nist@sle15: AU-12(a),AU-12.1(ii),AU-12(c),AU-12.1(iv),AU-3,AU-3.1,MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030520 + stigid@rhel7: RHEL-07-030520 ++ stigid@rhel8: RHEL-08-030430 + stigid@sle12: SLES-12-020530 + stigid@sle15: SLES-15-030170 + stigid@ubuntu2004: UBTU-20-010159 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index 5d8e55087d..6ab8d28917 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -50,7 +50,7 @@ references: + cis@ubuntu2004: 4.1.10 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000172,CCI-002884 ++ disa: CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -59,9 +59,10 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 +- srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030540 + stigid@rhel7: RHEL-07-030540 ++ stigid@rhel8: RHEL-08-030420 + stigid@sle12: SLES-12-020500 + stigid@sle15: SLES-15-030610 + stigid@ubuntu2004: UBTU-20-010156 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +index 48d0b501a3..052d21b4f0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +@@ -48,9 +48,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + stigid@ol7: OL07-00-030830 + stigid@rhel7: RHEL-07-030830 ++ stigid@rhel8: RHEL-08-030390 + stigid@sle12: SLES-12-020730 + stigid@sle15: SLES-15-030520 + stigid@ubuntu2004: UBTU-20-010302 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index 1457d423bf..aa17002321 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -47,9 +47,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + stigid@ol7: OL07-00-030821 + stigid@rhel7: RHEL-07-030821 ++ stigid@rhel8: RHEL-08-030380 + stigid@sle12: SLES-12-020740 + stigid@sle15: SLES-15-030530 + stigid@ubuntu2004: UBTU-20-010180 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +index 53b9accfd8..1d8260432e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +@@ -47,9 +47,10 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.7 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + stigid@ol7: OL07-00-030820 + stigid@rhel7: RHEL-07-030820 ++ stigid@rhel8: RHEL-08-030360 + stigid@sle12: SLES-12-020750 + stigid@sle15: SLES-15-030540 + stigid@ubuntu2004: UBTU-20-010179 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index f981f0143c..25f578b1f6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -39,7 +39,7 @@ references: + cis@ubuntu2004: 4.1.7 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000126,CCI-000172,CCI-002884 ++ disa: CCI-000126,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -48,7 +48,7 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.3 +- srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000470-GPOS-00214 + stigid@ol7: OL07-00-030620 + stigid@rhel7: RHEL-07-030620 + stigid@rhel8: RHEL-08-030600 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +index 426f1debed..474910c4c8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +@@ -43,7 +43,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -51,9 +51,10 @@ references: + nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3 + nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030660 + stigid@rhel7: RHEL-07-030660 ++ stigid@rhel8: RHEL-08-030250 + stigid@sle12: SLES-12-020690 + stigid@sle15: SLES-15-030120 + stigid@ubuntu2004: UBTU-20-010175 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +index a31dd7eddb..3ca968a543 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +@@ -43,7 +43,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -51,9 +51,10 @@ references: + nerc-cip: CIP-004-3 R2.2.2,CIP-004-3 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3 + nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030720 + stigid@rhel7: RHEL-07-030720 ++ stigid@rhel8: RHEL-08-030410 + stigid@sle12: SLES-12-020580 + stigid@sle15: SLES-15-030100 + stigid@ubuntu2004: UBTU-20-010163 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +index 6146418c75..7c5058c7f8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +@@ -43,16 +43,17 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030800 + stigid@rhel7: RHEL-07-030800 ++ stigid@rhel8: RHEL-08-030400 + stigid@sle12: SLES-12-020710 + stigid@sle15: SLES-15-030130 + stigid@ubuntu2004: UBTU-20-010177 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +index a9f782bb64..0c7bf84268 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +@@ -43,7 +43,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -52,9 +52,10 @@ references: + nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030650 + stigid@rhel7: RHEL-07-030650 ++ stigid@rhel8: RHEL-08-030370 + stigid@sle12: SLES-12-020560 + stigid@sle15: SLES-15-030080 + stigid@ubuntu2004: UBTU-20-010174 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +index 168d5c51fc..851dd5aa3d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +@@ -28,13 +28,15 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-89455-0 + cce@sle12: CCE-83207-1 + cce@sle15: CCE-85591-6 + + references: + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv)AU-12(c),MA-4(1)(a) +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 ++ stigid@rhel8: RHEL-08-030580 + stigid@sle12: SLES-12-020360 + stigid@sle15: SLES-15-030410 + stigid@ubuntu2004: UBTU-20-010297 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +index 01c7a7ea92..cc423c4146 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +@@ -46,6 +46,7 @@ references: + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030740 + stigid@rhel7: RHEL-07-030740 ++ stigid@rhel8: RHEL-08-030300 + stigid@sle12: SLES-12-020290 + stigid@sle15: SLES-15-030350 + stigid@ubuntu2004: UBTU-20-010138 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +index 53ee78dc10..edbb41f3d8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +@@ -43,7 +43,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000130,CCI-000169,CCI-000135,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -52,9 +52,10 @@ references: + nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030710 + stigid@rhel7: RHEL-07-030710 ++ stigid@rhel8: RHEL-08-030350 + stigid@sle12: SLES-12-020570 + stigid@sle15: SLES-15-030090 + stigid@ubuntu2004: UBTU-20-010164 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +index 5753e20e9e..f5a3a4be02 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +@@ -50,16 +50,17 @@ references: + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030810 + stigid@rhel7: RHEL-07-030810 ++ stigid@rhel8: RHEL-08-030340 + stigid@sle12: SLES-12-020720 + stigid@sle15: SLES-15-030510 + stigid@ubuntu2004: UBTU-20-010178 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +index 6792cad002..06b5cfc4ae 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +@@ -42,7 +42,7 @@ references: + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -51,9 +51,10 @@ references: + nist: AC-2(4),AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030630 + stigid@rhel7: RHEL-07-030630 ++ stigid@rhel8: RHEL-08-030280 + stigid@sle12: SLES-12-020550 + stigid@sle15: SLES-15-030070 + stigid@ubuntu2004: UBTU-20-010172 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +index 4080c66b8d..8f90c9c211 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +@@ -41,16 +41,17 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030760 + stigid@rhel7: RHEL-07-030760 ++ stigid@rhel8: RHEL-08-030311 + vmmsrg: SRG-OS-000471-VMM-001910 + + ocil_clause: 'it is not the case' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +index 96308029f9..e913e83a0b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +@@ -41,16 +41,17 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030770 + stigid@rhel7: RHEL-07-030770 ++ stigid@rhel8: RHEL-08-030312 + vmmsrg: SRG-OS-000471-VMM-001910 + + ocil_clause: 'it is not the case' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +index b9f68d0712..f2ebca4550 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +@@ -28,14 +28,16 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-85944-7 + cce@sle12: CCE-83199-0 + cce@sle15: CCE-85590-8 + + references: + cis@ubuntu2004: 4.1.11 +- disa: CCI-000130,CCI-000172 ++ disa: CCI-000130,CCI-000169,CCI-000172 + nist@sle12: AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ stigid@rhel8: RHEL-08-030280 + stigid@sle12: SLES-12-020310 + stigid@sle15: SLES-15-030370 + stigid@ubuntu2004: UBTU-20-010140 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +index 8a042f7def..1bec9be61b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +@@ -47,7 +47,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -55,9 +55,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030780 + stigid@rhel7: RHEL-07-030780 ++ stigid@rhel8: RHEL-08-030320 + stigid@sle12: SLES-12-020320 + stigid@sle15: SLES-15-030060 + stigid@ubuntu2004: UBTU-20-010141 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +index fce851d8e4..99e09ab4e3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +@@ -43,7 +43,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -51,9 +51,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-0003,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 + stigid@ol7: OL07-00-030680 + stigid@rhel7: RHEL-07-030680 ++ stigid@rhel8: RHEL-08-030190 + stigid@sle12: SLES-12-020250 + stigid@sle15: SLES-15-030550 + stigid@ubuntu2004: UBTU-20-010136 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index 50f72b7d89..aac859c4b1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -44,7 +44,7 @@ references: + cis@ubuntu2004: 4.1.11 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000130,CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -52,9 +52,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 + stigid@ol7: OL07-00-030690 + stigid@rhel7: RHEL-07-030690 ++ stigid@rhel8: RHEL-08-030550 + stigid@sle12: SLES-12-020260 + stigid@sle15: SLES-15-030560 + stigid@ubuntu2004: UBTU-20-010161 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +index 28fda0e782..061b5c28a7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +@@ -54,6 +54,7 @@ references: + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030750 + stigid@rhel7: RHEL-07-030750 ++ stigid@rhel8: RHEL-08-030301 + stigid@sle12: SLES-12-020300 + stigid@sle15: SLES-15-030360 + stigid@ubuntu2004: UBTU-20-010139 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +index f78b1972be..41a6123f5b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +@@ -52,9 +52,10 @@ references: + nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030640 + stigid@rhel7: RHEL-07-030640 ++ stigid@rhel8: RHEL-08-030317 + stigid@sle12: SLES-12-020680 + stigid@sle15: SLES-15-030110 + vmmsrg: SRG-OS-000471-VMM-001910 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +index 13bddb000a..de8bab633a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +@@ -40,7 +40,7 @@ references: + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-000172,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-000172,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' +@@ -48,9 +48,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030670 + stigid@rhel7: RHEL-07-030670 ++ stigid@rhel8: RHEL-08-030315 + vmmsrg: SRG-OS-000471-VMM-001910 + + ocil_clause: 'it is not the case' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +index b4c8a8f2cb..288d3c3bf2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +@@ -39,13 +39,15 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-86027-0 + cce@sle12: CCE-83191-7 + cce@sle15: CCE-85600-5 + + references: + disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 + nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a) +- srg: SRG-OS-000037-GPOS-00015 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210 ++ stigid@rhel8: RHEL-08-030560 + stigid@sle12: SLES-12-020700 + stigid@sle15: SLES-15-030500 + stigid@ubuntu2004: UBTU-20-010176 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +index 6aab91b6d5..6818e5c7b8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +@@ -39,6 +39,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.3.1,3.4.3 ++ disa: CCI-000162 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' +@@ -46,4 +47,5 @@ references: + nist: AC-6(9),CM-6(a) + nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 + pcidss: Req-10.5.2 ++ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 + stigid@rhel8: RHEL-08-030121 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +index 7dd945ae83..298aec87f3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +@@ -38,7 +38,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000135,CCI-002884 ++ disa: CCI-000135,CCI-000169,CCI-002884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -46,9 +46,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + pcidss: Req-10.2.7 +- srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030740 + stigid@rhel7: RHEL-07-030740 ++ stigid@rhel8: RHEL-08-030302 + stigid@sle12: SLES-12-020290 + + ocil_clause: 'there is no output' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +index 52c7bd2aef..12bca676d8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +@@ -47,7 +47,7 @@ references: + nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.2,Req-10.2.5.b +- srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@ol7: OL07-00-030700 + stigid@rhel7: RHEL-07-030700 + stigid@rhel8: RHEL-08-030172 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index a91d14e967..11c8f823c3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -43,7 +43,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 ++ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -53,7 +53,7 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.5 +- srg: SRG-OS-000004-GPOS-00004 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@ol7: OL07-00-030871 + stigid@rhel7: RHEL-07-030871 + stigid@rhel8: RHEL-08-030170 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 90b98863c1..8ccf265de6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -43,7 +43,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 ++ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -53,7 +53,7 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.5 +- srg: SRG-OS-000004-GPOS-00004 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@ol7: OL07-00-030872 + stigid@rhel7: RHEL-07-030872 + stigid@rhel8: RHEL-08-030160 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index 05e12170e4..b8e99f216a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -43,7 +43,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 ++ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -54,7 +54,7 @@ references: + nist@sle15: AC-2(4).1(i&ii),AU-12.1(iv) + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.5 +- srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000463-GPOS-00207,SRG-OS-000476-GPOS-00221 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000476-GPOS-00221,SRG-OS-000463-GPOS-00207 + stigid@ol7: OL07-00-030874 + stigid@rhel7: RHEL-07-030874 + stigid@rhel8: RHEL-08-030140 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index 88ef5606a7..aae128fee9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -43,7 +43,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 ++ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -53,7 +53,7 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.5 +- srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000276-GPOS-00106,SRG-OS-000277-GPOS-00107 + stigid@ol7: OL07-00-030870 + stigid@rhel7: RHEL-07-030870 + stigid@rhel8: RHEL-08-030150 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index 6d084343c9..d6cede0d34 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -43,7 +43,7 @@ references: + cjis: 5.4.1.1 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cui: 3.1.7 +- disa: CCI-000018,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 ++ disa: CCI-000018,CCI-000169,CCI-000172,CCI-001403,CCI-001404,CCI-001405,CCI-001683,CCI-001684,CCI-001685,CCI-001686,CCI-002130,CCI-002132 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' +@@ -53,7 +53,7 @@ references: + nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + ospp: FAU_GEN.1.1.c + pcidss: Req-10.2.5 +- srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@ol7: OL07-00-030873 + stigid@rhel7: RHEL-07-030873 + stigid@rhel8: RHEL-08-030130 +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index f1b2bb78fb..733172861a 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -46,7 +46,7 @@ references: + nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1) + nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 + pcidss: Req-10.3 +- srg: SRG-OS-000254-GPOS-00095,SRG-OS-000062-GPOS-00031 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000473-GPOS-00218,SRG-OS-000254-GPOS-00095 + stigid@rhel8: RHEL-08-030601 + stigid@ubuntu2004: UBTU-20-010198 + vmmsrg: SRG-OS-000254-VMM-000880 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +index aa22da90c3..261dc1849e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +@@ -35,9 +35,10 @@ identifiers: + cce@rhel9: CCE-83673-4 + + references: ++ disa: CCI-000162 + nist: AU-2(a) + ospp: FAU_GEN.1.1.c +- srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220 ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 + stigid@rhel8: RHEL-08-030122 + + ocil_clause: 'the file does not exist or the content differs' +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 3cbb4796ac..469c7dff5e 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -846,7 +846,7 @@ selections: + + # RHEL-08-030590 + # This one needs to be updated to use /var/log/faillock, but first RHEL-08-020017 should be +- # implemented as it is the one that configures a different patch for the events of failing locks ++ # implemented as it is the one that configures a different path for the events of failing locks + # - audit_rules_login_events_faillock + + # RHEL-08-030600 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 1d54e8ec15..dcb1e675bd 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -74,7 +74,6 @@ CCE-85940-5 + CCE-85941-3 + CCE-85942-1 + CCE-85943-9 +-CCE-85944-7 + CCE-85945-4 + CCE-85946-2 + CCE-85947-0 +@@ -154,7 +153,6 @@ CCE-86023-9 + CCE-86024-7 + CCE-86025-4 + CCE-86026-2 +-CCE-86027-0 + CCE-86028-8 + CCE-86029-6 + CCE-86030-4 +@@ -2522,7 +2520,6 @@ CCE-88433-8 + CCE-88434-6 + CCE-88435-3 + CCE-88436-1 +-CCE-88437-9 + CCE-88438-7 + CCE-88439-5 + CCE-88440-3 +@@ -3515,7 +3512,6 @@ CCE-89442-8 + CCE-89443-6 + CCE-89444-4 + CCE-89445-1 +-CCE-89446-9 + CCE-89447-7 + CCE-89448-5 + CCE-89449-3 +@@ -3524,7 +3520,6 @@ CCE-89451-9 + CCE-89452-7 + CCE-89453-5 + CCE-89454-3 +-CCE-89455-0 + CCE-89456-8 + CCE-89457-6 + CCE-89458-4 + +From 1e6b51ceb3e8fb9e6406b5f0ba925120e19e719d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 3 Aug 2021 11:44:57 +0200 +Subject: [PATCH 12/21] Define template data using product qualifiers instead + of macros. + +--- + .../audit_rules_privileged_commands_ssh_keysign/rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +index 1bec9be61b..5c39013572 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +@@ -75,4 +75,6 @@ ocil: |- + template: + name: audit_rules_privileged_commands + vars: +- path: {{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign{{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}} ++ path: /usr/libexec/openssh/ssh-keysign ++ path@sle12: /usr/lib/ssh/ssh-keysign ++ path@sle15: /usr/lib/ssh/ssh-keysign + +From f8478dea74e99affff3f3b7b62d91ac509d71a8c Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 3 Aug 2021 12:01:18 +0200 +Subject: [PATCH 13/21] Add new STIG audit rule + audit_rules_privileged_commands_unix_update. + +--- + .../rule.yml | 53 +++++++++++++++++++ + .../tests/ocp4/e2e.yml | 3 ++ + products/rhel8/profiles/stig.profile | 2 +- + shared/references/cce-redhat-avail.txt | 2 - + 4 files changed, 57 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml +new file mode 100644 +index 0000000000..7ef800da19 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: rhel8,rhel9 ++ ++title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_update' ++ ++description: |- ++ At a minimum, the audit system should collect the execution of ++ privileged commands for all users and root. If the auditd daemon is ++ configured to use the augenrules program to read audit rules during ++ daemon startup (the default), add a line of the following form to a file with ++ suffix .rules in the directory /etc/audit/rules.d: ++
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add a line of the following ++ form to /etc/audit/audit.rules: ++
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++ ++rationale: |- ++ Misuse of privileged functions, either intentionally or unintentionally by ++ authorized users, or by unauthorized external entities that have compromised system accounts, ++ is a serious and ongoing concern and can have significant adverse impacts on organizations. ++ Auditing the use of privileged functions is one way to detect such misuse and identify ++ the risk from insider and advanced persistent threats. ++

++ Privileged programs are subject to escalation-of-privilege attacks, ++ which attempt to subvert their normal role of providing some necessary but ++ limited capability. As such, motivation exists to monitor these programs for ++ unusual activity. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-89480-8 ++ cce@rhel9: CCE-89481-6 ++ ++references: ++ disa: CCI-000169 ++ srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 ++ stigid@rhel8: RHEL-08-030310 ++ ++ocil_clause: 'it is not the case' ++ ++ocil: |- ++ To verify that auditing of privileged command use is configured, run the ++ following command: ++
$ sudo grep unix_update /etc/audit/audit.rules /etc/audit/rules.d/*
++ It should return a relevant line in the audit rules. ++ ++template: ++ name: audit_rules_privileged_commands ++ vars: ++ path: /usr/sbin/unix_update +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml +new file mode 100644 +index 0000000000..fd9b313e87 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_update/tests/ocp4/e2e.yml +@@ -0,0 +1,3 @@ ++--- ++default_result: FAIL ++result_after_remediation: PASS +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 469c7dff5e..2cece6a130 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -725,7 +725,7 @@ selections: + - audit_rules_media_export + + # RHEL-08-030310 +- # missing rule ++ - audit_rules_privileged_commands_unix_update + + # RHEL-08-030311 + - audit_rules_privileged_commands_postdrop +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index dcb1e675bd..ac98344c73 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -3544,8 +3544,6 @@ CCE-89476-6 + CCE-89477-4 + CCE-89478-2 + CCE-89479-0 +-CCE-89480-8 +-CCE-89481-6 + CCE-89482-4 + CCE-89483-2 + CCE-89484-0 + +From 1216eda0621bedfd60f189bbfd60e79f3b6f5411 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 3 Aug 2021 12:30:11 +0200 +Subject: [PATCH 14/21] Add two new rules to cover STIG req based on existing + rule. + +The rule used as basis is audit_rules_sysadmin_actions. This rules is +used by many profiles and it didn't make sense to change its behavior, +so two new rules were created to be used only by RHEL8 STIG. +--- + .../audit_rules_sudoers/ansible/shared.yml | 39 +++++++++++++++++++ + .../audit_rules_sudoers/bash/shared.sh | 8 ++++ + .../audit_rules_sudoers/oval/shared.xml | 34 ++++++++++++++++ + .../audit_rules_sudoers/rule.yml | 39 +++++++++++++++++++ + .../audit_rules_sudoers/tests/correct.pass.sh | 3 ++ + .../audit_rules_sudoers/tests/empty.fail.sh | 4 ++ + .../tests/wrong_value.fail.sh | 4 ++ + .../audit_rules_sudoers_d/ansible/shared.yml | 39 +++++++++++++++++++ + .../audit_rules_sudoers_d/bash/shared.sh | 8 ++++ + .../audit_rules_sudoers_d/oval/shared.xml | 34 ++++++++++++++++ + .../audit_rules_sudoers_d/rule.yml | 39 +++++++++++++++++++ + .../tests/correct.pass.sh | 3 ++ + .../audit_rules_sudoers_d/tests/empty.fail.sh | 4 ++ + .../tests/missing_slash.fail.sh | 4 ++ + products/rhel8/profiles/stig.profile | 5 +-- + shared/references/cce-redhat-avail.txt | 4 -- + 16 files changed, 264 insertions(+), 7 deletions(-) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml +new file mode 100644 +index 0000000000..12324a9f76 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/ansible/shared.yml +@@ -0,0 +1,39 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# Inserts/replaces the rule in /etc/audit/rules.d ++ ++- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: '^.*/etc/sudoers\s.*$' ++ patterns: "*.rules" ++ register: find_audit_sysadmin_actions ++ ++- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule ++ set_fact: ++ all_sysadmin_actions_files: ++ - /etc/audit/rules.d/actions.rules ++ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_sysadmin_actions_files: ++ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}" ++ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 ++ ++- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d ++ lineinfile: ++ path: "{{ all_sysadmin_actions_files[0] }}" ++ line: '-w /etc/sudoers -p wa -k actions' ++ create: yes ++ ++- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules ++ lineinfile: ++ path: /etc/audit/audit.rules ++ line: '-w /etc/sudoers -p wa -k actions' ++ create: yes +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh +new file mode 100644 +index 0000000000..a1392449b0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/bash/shared.sh +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" ++fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml +new file mode 100644 +index 0000000000..96d1a91c1e +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/oval/shared.xml +@@ -0,0 +1,34 @@ ++ ++ ++ {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +new file mode 100644 +index 0000000000..f39bfa7e72 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: rhel8,rhel9 ++ ++title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers' ++ ++description: |- ++ At a minimum, the audit system should collect administrator actions ++ for all users and root. If the auditd daemon is configured to use the ++ augenrules program to read audit rules during daemon startup (the default), ++ add the following line to a file with suffix .rules in the directory ++ /etc/audit/rules.d: ++
-w /etc/sudoers -p wa -k actions
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following line to ++ /etc/audit/audit.rules file: ++
-w /etc/sudoers -p wa -k actions
++ ++rationale: |- ++ The actions taken by system administrators should be audited to keep a record ++ of what was executed on the system, as well as, for accountability purposes. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-90175-1 ++ cce@rhel9: CCE-90176-9 ++ ++references: ++ disa: CCI-000169 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 ++ stigid@rhel8: RHEL-08-030171 ++ ++ocil_clause: 'there is not output' ++ ++ocil: |- ++ To verify that auditing is configured for system administrator actions, run the following command: ++
$ sudo auditctl -l | grep "watch=/etc/sudoers\|-w /etc/sudoers\"
++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh +new file mode 100644 +index 0000000000..27ff10cb23 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++mkdir -p /etc/audit/rules.d/ ++echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh +new file mode 100644 +index 0000000000..2776dabaa1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/empty.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++rm -rf /etc/audit/rules.d/ ++mkdir -p /etc/audit/rules.d/ ++touch /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..3d30475363 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/tests/wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++mkdir -p /etc/audit/rules.d/ ++echo "-w /etc/sudo -p wa -k actions" >> /etc/audit/rules.d/actions.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml +new file mode 100644 +index 0000000000..89e028ac2d +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/ansible/shared.yml +@@ -0,0 +1,39 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# Inserts/replaces the rule in /etc/audit/rules.d ++ ++- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: '^.*/etc/sudoers\.d/\s.*$' ++ patterns: "*.rules" ++ register: find_audit_sysadmin_actions ++ ++- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule ++ set_fact: ++ all_sysadmin_actions_files: ++ - /etc/audit/rules.d/actions.rules ++ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_sysadmin_actions_files: ++ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}" ++ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 ++ ++- name: Inserts/replaces audit rule for /etc/sudoers.d/ rule in rules.d ++ lineinfile: ++ path: "{{ all_sysadmin_actions_files[0] }}" ++ line: '-w /etc/sudoers.d/ -p wa -k actions' ++ create: yes ++ ++- name: Inserts/replaces audit rule for /etc/sudoers.d/ in audit.rules ++ lineinfile: ++ path: /etc/audit/audit.rules ++ line: '-w /etc/sudoers.d/ -p wa -k actions' ++ create: yes +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh +new file mode 100644 +index 0000000000..9a6292d21d +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/bash/shared.sh +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions" ++fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml +new file mode 100644 +index 0000000000..c171851647 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml +@@ -0,0 +1,34 @@ ++ ++ ++ {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.d/.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml +new file mode 100644 +index 0000000000..d4a35a7996 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: rhel8,rhel9 ++ ++title: 'Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/' ++ ++description: |- ++ At a minimum, the audit system should collect administrator actions ++ for all users and root. If the auditd daemon is configured to use the ++ augenrules program to read audit rules during daemon startup (the default), ++ add the following line to a file with suffix .rules in the directory ++ /etc/audit/rules.d: ++
-w /etc/sudoers.d/ -p wa -k actions
++ If the auditd daemon is configured to use the auditctl ++ utility to read audit rules during daemon startup, add the following line to ++ /etc/audit/audit.rules file: ++
-w /etc/sudoers.d/ -p wa -k actions
++ ++rationale: |- ++ The actions taken by system administrators should be audited to keep a record ++ of what was executed on the system, as well as, for accountability purposes. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-89497-2 ++ cce@rhel9: CCE-89498-0 ++ ++references: ++ disa: CCI-000169 ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 ++ stigid@rhel8: RHEL-08-030172 ++ ++ocil_clause: 'there is not output' ++ ++ocil: |- ++ To verify that auditing is configured for system administrator actions, run the following command: ++
$ sudo auditctl -l | grep "watch=/etc/sudoers.d\|-w /etc/sudoers.d"
++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh +new file mode 100644 +index 0000000000..a1259a6e66 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++mkdir -p /etc/audit/rules.d/ ++echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh +new file mode 100644 +index 0000000000..2776dabaa1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/empty.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++rm -rf /etc/audit/rules.d/ ++mkdir -p /etc/audit/rules.d/ ++touch /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh +new file mode 100644 +index 0000000000..dd96b1ec10 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/tests/missing_slash.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++mkdir -p /etc/audit/rules.d/ ++echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 2cece6a130..965068a691 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -673,11 +673,10 @@ selections: + - audit_rules_usergroup_modification_group + + # RHEL-08-030171 +- # should be split +- # - audit_rules_sysadmin_actions ++ - audit_rules_sudoers + + # RHEL-08-030172 +- - audit_rules_sysadmin_actions ++ - audit_rules_sudoers_d + + # RHEL-08-030180 + - package_audit_installed +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index ac98344c73..001262c6ee 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -3559,8 +3559,6 @@ CCE-89493-1 + CCE-89494-9 + CCE-89495-6 + CCE-89496-4 +-CCE-89497-2 +-CCE-89498-0 + CCE-89499-8 + CCE-89500-3 + CCE-89501-1 +@@ -4228,8 +4226,6 @@ CCE-90170-2 + CCE-90172-8 + CCE-90173-6 + CCE-90174-4 +-CCE-90175-1 +-CCE-90176-9 + CCE-90177-7 + CCE-90178-5 + CCE-90179-3 + +From 2db69d93f8616c9d39897a44994ccdfc30fafb65 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 3 Aug 2021 16:15:14 +0200 +Subject: [PATCH 15/21] Update RHEL8 STIG profiles stability test data. + +--- + .../data/profile_stability/rhel8/stig.profile | 64 +++++++++++++++++++ + .../profile_stability/rhel8/stig_gui.profile | 64 +++++++++++++++++++ + 2 files changed, 128 insertions(+) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index fcae79f6d8..d7e2f71376 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -66,7 +66,71 @@ selections: + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes ++- audit_immutable_login_uids ++- audit_rules_dac_modification_chmod ++- audit_rules_dac_modification_chown ++- audit_rules_dac_modification_fchmod ++- audit_rules_dac_modification_fchmodat ++- audit_rules_dac_modification_fchown ++- audit_rules_dac_modification_fchownat ++- audit_rules_dac_modification_fremovexattr ++- audit_rules_dac_modification_fsetxattr ++- audit_rules_dac_modification_lchown ++- audit_rules_dac_modification_lremovexattr ++- audit_rules_dac_modification_lsetxattr ++- audit_rules_dac_modification_removexattr ++- audit_rules_dac_modification_setxattr ++- audit_rules_execution_chacl ++- audit_rules_execution_chcon ++- audit_rules_execution_semanage ++- audit_rules_execution_setfacl ++- audit_rules_execution_setfiles ++- audit_rules_execution_setsebool ++- audit_rules_file_deletion_events_rename ++- audit_rules_file_deletion_events_renameat ++- audit_rules_file_deletion_events_rmdir ++- audit_rules_file_deletion_events_unlink ++- audit_rules_file_deletion_events_unlinkat ++- audit_rules_immutable ++- audit_rules_kernel_module_loading_delete ++- audit_rules_kernel_module_loading_finit ++- audit_rules_kernel_module_loading_init ++- audit_rules_login_events_lastlog ++- audit_rules_media_export ++- audit_rules_privileged_commands_chage ++- audit_rules_privileged_commands_chsh ++- audit_rules_privileged_commands_crontab ++- audit_rules_privileged_commands_gpasswd ++- audit_rules_privileged_commands_kmod ++- audit_rules_privileged_commands_mount ++- audit_rules_privileged_commands_newgrp ++- audit_rules_privileged_commands_pam_timestamp_check ++- audit_rules_privileged_commands_passwd ++- audit_rules_privileged_commands_postdrop ++- audit_rules_privileged_commands_postqueue ++- audit_rules_privileged_commands_ssh_agent ++- audit_rules_privileged_commands_ssh_keysign ++- audit_rules_privileged_commands_su ++- audit_rules_privileged_commands_sudo ++- audit_rules_privileged_commands_umount ++- audit_rules_privileged_commands_unix_chkpwd ++- audit_rules_privileged_commands_unix_update ++- audit_rules_privileged_commands_userhelper ++- audit_rules_privileged_commands_usermod ++- audit_rules_sudoers ++- audit_rules_sudoers_d + - audit_rules_suid_privilege_function ++- audit_rules_unsuccessful_file_modification_creat ++- audit_rules_unsuccessful_file_modification_ftruncate ++- audit_rules_unsuccessful_file_modification_open ++- audit_rules_unsuccessful_file_modification_open_by_handle_at ++- audit_rules_unsuccessful_file_modification_openat ++- audit_rules_unsuccessful_file_modification_truncate ++- audit_rules_usergroup_modification_group ++- audit_rules_usergroup_modification_gshadow ++- audit_rules_usergroup_modification_opasswd ++- audit_rules_usergroup_modification_passwd ++- audit_rules_usergroup_modification_shadow + - auditd_audispd_configure_sufficiently_large_partition + - auditd_data_disk_error_action + - auditd_data_disk_full_action +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 2bbd1881f5..7c95e31545 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -77,7 +77,71 @@ selections: + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes ++- audit_immutable_login_uids ++- audit_rules_dac_modification_chmod ++- audit_rules_dac_modification_chown ++- audit_rules_dac_modification_fchmod ++- audit_rules_dac_modification_fchmodat ++- audit_rules_dac_modification_fchown ++- audit_rules_dac_modification_fchownat ++- audit_rules_dac_modification_fremovexattr ++- audit_rules_dac_modification_fsetxattr ++- audit_rules_dac_modification_lchown ++- audit_rules_dac_modification_lremovexattr ++- audit_rules_dac_modification_lsetxattr ++- audit_rules_dac_modification_removexattr ++- audit_rules_dac_modification_setxattr ++- audit_rules_execution_chacl ++- audit_rules_execution_chcon ++- audit_rules_execution_semanage ++- audit_rules_execution_setfacl ++- audit_rules_execution_setfiles ++- audit_rules_execution_setsebool ++- audit_rules_file_deletion_events_rename ++- audit_rules_file_deletion_events_renameat ++- audit_rules_file_deletion_events_rmdir ++- audit_rules_file_deletion_events_unlink ++- audit_rules_file_deletion_events_unlinkat ++- audit_rules_immutable ++- audit_rules_kernel_module_loading_delete ++- audit_rules_kernel_module_loading_finit ++- audit_rules_kernel_module_loading_init ++- audit_rules_login_events_lastlog ++- audit_rules_media_export ++- audit_rules_privileged_commands_chage ++- audit_rules_privileged_commands_chsh ++- audit_rules_privileged_commands_crontab ++- audit_rules_privileged_commands_gpasswd ++- audit_rules_privileged_commands_kmod ++- audit_rules_privileged_commands_mount ++- audit_rules_privileged_commands_newgrp ++- audit_rules_privileged_commands_pam_timestamp_check ++- audit_rules_privileged_commands_passwd ++- audit_rules_privileged_commands_postdrop ++- audit_rules_privileged_commands_postqueue ++- audit_rules_privileged_commands_ssh_agent ++- audit_rules_privileged_commands_ssh_keysign ++- audit_rules_privileged_commands_su ++- audit_rules_privileged_commands_sudo ++- audit_rules_privileged_commands_umount ++- audit_rules_privileged_commands_unix_chkpwd ++- audit_rules_privileged_commands_unix_update ++- audit_rules_privileged_commands_userhelper ++- audit_rules_privileged_commands_usermod ++- audit_rules_sudoers ++- audit_rules_sudoers_d + - audit_rules_suid_privilege_function ++- audit_rules_unsuccessful_file_modification_creat ++- audit_rules_unsuccessful_file_modification_ftruncate ++- audit_rules_unsuccessful_file_modification_open ++- audit_rules_unsuccessful_file_modification_open_by_handle_at ++- audit_rules_unsuccessful_file_modification_openat ++- audit_rules_unsuccessful_file_modification_truncate ++- audit_rules_usergroup_modification_group ++- audit_rules_usergroup_modification_gshadow ++- audit_rules_usergroup_modification_opasswd ++- audit_rules_usergroup_modification_passwd ++- audit_rules_usergroup_modification_shadow + - auditd_audispd_configure_sufficiently_large_partition + - auditd_data_disk_error_action + - auditd_data_disk_full_action + +From 67d07b479750430ce78aa6f5b9326901ec4bc532 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 14:32:46 +0200 +Subject: [PATCH 16/21] Fix RHEL8 STIG id of + audit_rules_privileged_commands_passwd. + +--- + .../audit_rules_privileged_commands_passwd/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +index 06b5cfc4ae..60660a1314 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +@@ -54,7 +54,7 @@ references: + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + stigid@ol7: OL07-00-030630 + stigid@rhel7: RHEL-07-030630 +- stigid@rhel8: RHEL-08-030280 ++ stigid@rhel8: RHEL-08-030290 + stigid@sle12: SLES-12-020550 + stigid@sle15: SLES-15-030070 + stigid@ubuntu2004: UBTU-20-010172 + +From 9e11cb68aa68ec7d8dde7a9f5d9298bd3c74f9cb Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 15:49:08 +0200 +Subject: [PATCH 17/21] Update audit rules description with regards to -F + perm=x parameter. + +--- + .../audit_rules_execution_chacl/rule.yml | 6 ++--- + .../audit_rules_execution_setfacl/rule.yml | 6 ++--- + .../audit_rules_execution_chcon/rule.yml | 22 ++++++------------- + .../audit_rules_execution_semanage/rule.yml | 10 ++++++--- + .../audit_rules_execution_setfiles/rule.yml | 10 ++++++--- + .../audit_rules_execution_setsebool/rule.yml | 10 ++++++--- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 15 ++++++++++--- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 17 +++++++++----- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 18 ++++++++++----- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 8 +++++-- + .../rule.yml | 13 +---------- + .../ansible.template | 2 +- + .../bash.template | 2 +- + .../oval.template | 2 +- + 27 files changed, 157 insertions(+), 88 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +index 0c71e4ac24..735817e4f0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +@@ -42,10 +42,10 @@ references: + + ocil: |- + To verify that execution of the command is being audited, run the following command: +- Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. ++ Configure the operating system to generate an audit record for all uses of the "chacl" command. + Add or update the following rules in the "/etc/audit/audit.rules" file: +- -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged +- -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged ++ -a always,exit -F arch=b32 path=/usr/bin/chacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged ++ -a always,exit -F arch=b64 path=/usr/bin/chacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged + The audit daemon must be restarted for the changes to take effect. + # sudo systemctl restart auditd.service + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +index 89c134a0fa..341790d7dd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +@@ -42,10 +42,10 @@ references: + + ocil: |- + To verify that execution of the command is being audited, run the following command: +- Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. ++ Configure the operating system to generate an audit record for all uses of the "setfacl" command. + Add or update the following rules in the "/etc/audit/audit.rules" file: +- -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged +- -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged ++ -a always,exit -F arch=b32 path=/usr/bin/setfacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged ++ -a always,exit -F arch=b64 path=/usr/bin/setfacl -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged + The audit daemon must be restarted for the changes to take effect. + # sudo systemctl restart auditd.service +
$ sudo grep "path=/usr/bin/setfacl" /etc/audit/audit.rules /etc/audit/rules.d/*
+diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +index 0c6781c7d5..4a5f43376a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,19 +14,11 @@ description: |- + daemon is configured to use the augenrules program to read audit rules + during daemon startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +- {{% if product in ["sle12", "sle15"] %}} +-
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% else %}} +-
-a always,exit -F path=/usr/bin/chcon -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% endif %}} ++
-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +- {{% if product in ["sle12", "sle15"] %}} +-
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% else %}} +-
-a always,exit -F path=/usr/bin/chcon -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% endif %}} ++
-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +@@ -73,11 +69,7 @@ ocil: |- + To verify that execution of the command is being audited, run the following command: +
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +- {{% if product in ["sle12", "sle15"] %}} +-
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% else %}} +-
-a always,exit -F path=/usr/bin/chcon -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% endif %}} ++
-a always,exit -F path=/usr/bin/chcon {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + template: + name: audit_rules_privileged_commands +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +index b609c3dfc2..a945ce16f8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + daemon is configured to use the augenrules program to read audit rules + during daemon startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/semanage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F path=/usr/sbin/semanage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +@@ -59,7 +63,7 @@ ocil: |- + To verify that execution of the command is being audited, run the following command: +
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +-
-a always,exit -F path=/usr/sbin/semanage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/semanage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + template: + name: audit_rules_privileged_commands +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +index 9de7407f4c..6db7d1daca 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4 +@@ -10,11 +14,11 @@ description: |- + daemon is configured to use the augenrules program to read audit rules + during daemon startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/setfiles -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F path=/usr/sbin/setfiles -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +@@ -49,7 +53,7 @@ ocil: |- + To verify that execution of the command is being audited, run the following command: +
$ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +-
-a always,exit -F path=/usr/sbin/setfiles -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/setfiles {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + template: + name: audit_rules_privileged_commands +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +index 23504bab4a..c357c48fe6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + daemon is configured to use the augenrules program to read audit rules + during daemon startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/setsebool -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file: +-
-a always,exit -F path=/usr/sbin/setsebool -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +@@ -58,7 +62,7 @@ ocil: |- + To verify that execution of the command is being audited, run the following command: +
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +-
-a always,exit -F path=/usr/sbin/setsebool -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/setsebool {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + template: + name: audit_rules_privileged_commands +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +index 474910c4c8..b5a9e29d2e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/chage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/chage -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/chage {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +index 3ca968a543..8cc2b236a9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/chsh -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/chsh -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/chsh {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +index 7c5058c7f8..86633fb606 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/crontab -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/crontab -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/crontab {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +index 0c7bf84268..ac5bfb2cc5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/gpasswd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/gpasswd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/gpasswd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +index 851dd5aa3d..b469e42bbb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +@@ -1,3 +1,11 @@ ++{{%- if product in ["rhel8"] %}} ++ {{%- set kmod_audit="-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" %}} ++{{%- elif product in ["ubuntu2004"] %}} ++ {{%- set kmod_audit="-w /bin/kmod -p x -k modules" %}} ++{{%- else %}} ++ {{%- set kmod_audit="-w /usr/bin/kmod -p x -k modules" %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: rhel8,sle12,sle15,ubuntu2004 +@@ -10,11 +18,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-w /usr/bin/kmod -p x -k modules
++
{{{ kmod_audit }}}
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-w /usr/bin/kmod -p x -k modules
++
{{{ kmod_audit }}}
+ + rationale: |- + Without generating audit records that are specific to the security and +@@ -48,7 +56,7 @@ ocil: |- + following command: + +
# sudo grep kmod /etc/audit/audit.rules
+-    -w /usr/bin/kmod -p x -k modules
++ {{{ kmod_audit }}} + + If the system is configured to audit the execution of the module management + program "kmod", the command will return a line. If the command does not +@@ -60,3 +68,4 @@ template: + name: audit_rules_privileged_commands + vars: + path: /usr/bin/kmod ++ path@ubuntu2004: /bin/kmod +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +index cc423c4146..56bd72b670 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/mount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/mount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/mount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +index edbb41f3d8..4c14ea509c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/newgrp -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/newgrp -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/newgrp {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +index f5a3a4be02..c34eeb54c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +@@ -1,8 +1,7 @@ +-documentation_complete: true + +-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +- +-title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} + + {{% if product in ["sle12", "sle15"] %}} + {{% set pam_bin_path = "/sbin/pam_timestamp_check" %}} +@@ -10,6 +9,12 @@ title: 'Ensure auditd Collects Information on the Use of Privileged Commands - p + {{% set pam_bin_path = "/usr/sbin/pam_timestamp_check" %}} + {{% endif %}} + ++documentation_complete: true ++ ++prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 ++ ++title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' ++ + description: |- + At a minimum, the audit system should collect the execution of + privileged commands for all users and root. If the auditd daemon is +@@ -17,12 +22,12 @@ description: |- + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path={{{ pam_bin_path }}}
+-    -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++ {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +
-a always,exit -F path={{{ pam_bin_path }}}
+-    -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++ {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged + + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +index 60660a1314..2af86f5042 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/passwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +index 8f90c9c211..9509216e8f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/postdrop -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/sbin/postdrop -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/postdrop {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +index e913e83a0b..c5d1a82cc7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/postqueue -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/sbin/postqueue -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/postqueue {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +index 5c39013572..604cbcda85 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +@@ -1,3 +1,13 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ ++{{%- if product in ["sle12", "sle15"] %}} ++ {{%- set ssh_keysign_path="/usr/lib/ssh/ssh-keysign" %}} ++{{%- else %}} ++ {{%- set ssh_keysign_path="/usr/libexec/openssh/ssh-keysign" %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,15 +20,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
+-    {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}} -F auid>={{{ auid }}} 
+-    -F auid!=unset -F key=privileged
++
-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path={{% if product in ["sle12", "sle15"] %}}/usr/lib/ssh/ssh-keysign
+-    {{% else %}}/usr/libexec/openssh/ssh-keysign{{% endif %}}
+-    -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path={{{ ssh_keysign_path }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +index 99e09ab4e3..87a81ee0c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/su -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/su -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/su {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index aac859c4b1..e989091836 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/sudo -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/sudo -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/sudo {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +index 061b5c28a7..5d47508bb9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/bin/umount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/bin/umount -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/bin/umount {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +index 41a6123f5b..5be7f486c6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +index de8bab633a..6dccc80692 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +@@ -1,3 +1,7 @@ ++{{%- if product in ["rhel8", "rhel9"] %}} ++ {{%- set perm_x="-F perm=x " %}} ++{{%- endif %}} ++ + documentation_complete: true + + prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4 +@@ -10,11 +14,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +-
-a always,exit -F path=/usr/sbin/userhelper -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +-
-a always,exit -F path=/usr/sbin/userhelper -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
++
-a always,exit -F path=/usr/sbin/userhelper {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +index 288d3c3bf2..7089016151 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +@@ -10,19 +10,11 @@ description: |- + configured to use the augenrules program to read audit rules during + daemon startup (the default), add a line of the following form to a file with + suffix .rules in the directory /etc/audit/rules.d: +- {{% if 'ubuntu' in product %}} +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% else %}} +-
-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add a line of the following + form to /etc/audit/audit.rules: +- {{% if 'ubuntu' in product %}} +
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% else %}} +-
-a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+- {{% endif %}} + + rationale: |- + Misuse of privileged functions, either intentionally or unintentionally by +@@ -63,7 +55,4 @@ ocil: |- + template: + name: audit_rules_privileged_commands + vars: +- path: /usr/bin/usermod +- path@ubuntu1604: /usr/sbin/usermod +- path@ubuntu1804: /usr/sbin/usermod +- path@ubuntu2004: /usr/sbin/usermod ++ path: /usr/sbin/usermod +diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template +index a245de6673..06154e10ce 100644 +--- a/shared/templates/audit_rules_privileged_commands/ansible.template ++++ b/shared/templates/audit_rules_privileged_commands/ansible.template +@@ -1,4 +1,4 @@ +-{{%- if product in ["rhel8", "sle12", "sle15"] %}} ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index 2b3795674f..d03a92061c 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -1,4 +1,4 @@ +-{{%- if product in ["rhel8", "sle12", "sle15"] %}} ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="-F perm=x " %}} + {{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template +index 8e3919ca66..c3d396e2ff 100644 +--- a/shared/templates/audit_rules_privileged_commands/oval.template ++++ b/shared/templates/audit_rules_privileged_commands/oval.template +@@ -1,4 +1,4 @@ +-{{%- if product in ["rhel8", "sle12", "sle15"] %}} ++{{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} + {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} + {{%- endif %}} + + +From fd801e1fd36a0e6724c043de2dbc75567738edfa Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 15:57:08 +0200 +Subject: [PATCH 18/21] Update SRG mapping of chronyd_or_ntpd_set_maxpoll. + +--- + .../guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +index 4827cf1359..854e8e8048 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +@@ -90,7 +90,7 @@ references: + nist: CM-6(a),AU-8(1)(b) + nist-csf: PR.PT-1 + nist@sle12: AU-8(1)(a),AU-8(1)(b) +- srg: 'SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144' ++ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146 + stigid@ol7: OL07-00-040500 + stigid@rhel7: RHEL-07-040500 + stigid@rhel8: RHEL-08-030740 + +From 4a79ec12860e768e650bb7fd0962334d1c70223a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 15:58:47 +0200 +Subject: [PATCH 19/21] Remove SUSE keyword verbiage from rules. + +--- + .../accounts/accounts-restrictions/account_unique_id/rule.yml | 4 ++-- + .../audit_rules_login_events_faillog/rule.yml | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +index e55901dbdc..5cfdf48dba 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +@@ -32,8 +32,8 @@ ocil_clause: 'a line is returned' + + ocil: |- + Run the following command to check for duplicate account names: +- Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command: ++ Check that the operating system contains no duplicate UIDs for interactive users by running the following command: +
# awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
+ If output is produced, this is a finding. +- Configure the SUSE operating system to contain no duplicate UIDs for interactive users. ++ Configure the operating system to contain no duplicate UIDs for interactive users. + Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID. +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml +index 7a6d748ffe..97d6874e98 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml +@@ -39,7 +39,7 @@ ocil_clause: 'there is no output' + + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +- Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur. ++ Configure the operating system to generate an audit record for any all modifications to the "faillog" file occur. + Add or update the following rules in the "/etc/audit/audit.rules" file: + -w /var/log/faillog -p wa -k logins + The audit daemon must be restarted for the changes to take effect. + +From 9122c246c124e26e1e059455ff66b9efa6601eeb Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 5 Aug 2021 14:39:13 +0200 +Subject: [PATCH 20/21] Enable check_root_user for RHEL9 in audit rules dac. + +--- + .../audit_rules_dac_modification_fremovexattr/rule.yml | 9 +++++---- + .../audit_rules_dac_modification_fsetxattr/rule.yml | 9 +++++---- + .../audit_rules_dac_modification_lremovexattr/rule.yml | 1 + + .../audit_rules_dac_modification_lsetxattr/rule.yml | 9 +++++---- + .../audit_rules_dac_modification_removexattr/rule.yml | 9 +++++---- + .../audit_rules_dac_modification_setxattr/rule.yml | 9 +++++---- + 6 files changed, 26 insertions(+), 20 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index d46968da8f..5bd1b25eaf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -11,13 +11,13 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+@@ -25,13 +25,13 @@ description: |- + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + +@@ -92,3 +92,4 @@ template: + vars: + attr: fremovexattr + check_root_user@rhel8: "true" ++ check_root_user@rhel9: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 564daccaed..410dd8a5ef 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -9,24 +9,24 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + +@@ -87,3 +87,4 @@ template: + vars: + attr: fsetxattr + check_root_user@rhel8: "true" ++ check_root_user@rhel9: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index 2ae0f11c58..947c768efd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -92,3 +92,4 @@ template: + vars: + attr: lremovexattr + check_root_user@rhel8: "true" ++ check_root_user@rhel9: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index 945ad560d7..ed1fd3715d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -9,24 +9,24 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + +@@ -85,3 +85,4 @@ template: + vars: + attr: lsetxattr + check_root_user@rhel8: "true" ++ check_root_user@rhel9: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index e6d7374b7f..61e69432d1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -10,13 +10,13 @@ description: |- + program to read audit rules during daemon startup (the default), add the + following line to a file with suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+@@ -24,13 +24,13 @@ description: |- + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} +

+ If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S removexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + +@@ -91,3 +91,4 @@ template: + vars: + attr: removexattr + check_root_user@rhel8: "true" ++ check_root_user@rhel9: "true" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index ab15167508..12489a74a0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -9,24 +9,24 @@ description: |- + startup (the default), add the following line to a file with suffix + .rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following line to + /etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S setxattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
+-{{%- if product in ["rhel8"] %}} ++{{%- if product in ["rhel8", "rhel9"] %}} +
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
+ {{%- endif %}} + +@@ -87,3 +87,4 @@ template: + vars: + attr: setxattr + check_root_user@rhel8: "true" ++ check_root_user@rhel9: "true" + +From 88e9061888f7fb5824e7e2c52e83edad6b432615 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 5 Aug 2021 15:53:17 +0200 +Subject: [PATCH 21/21] Fix check and remediations of auditd_overflow_action. + +The check was generating a new input to the auditd.conf file and without +spaces between the separator (equal sign). This caused auditd failing to +start since it's mandatory to have a space between the separator. It +also introduces case insensitivity for the check since the paramaters +and values are case insensitive. +--- + .../auditd_overflow_action/ansible/shared.yml | 6 +++--- + .../auditd_overflow_action/bash/shared.sh | 5 +++-- + .../auditd_overflow_action/oval/shared.xml | 6 +++--- + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +index 4f88ed361d..166054a95a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml +@@ -3,6 +3,6 @@ + {{{ ansible_set_config_file(file="/etc/audit/auditd.conf", + parameter="overflow_action", + value="syslog", +- separator="=", +- separator_regex="=", +- prefix_regex="^\s*") }}} ++ separator=" = ", ++ separator_regex="\s*=\s*", ++ prefix_regex="(?i)^\s*") }}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +index 539b9b6582..b397c811d1 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh +@@ -7,6 +7,7 @@ + {{{set_config_file(path="/etc/audit/auditd.conf", + parameter="overflow_action", + value="syslog", +- separator="=", +- separator_regex="=", ++ insensitive=true, ++ separator=" = ", ++ separator_regex="\s*=\s*", + prefix_regex="^\s*")}}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml +index fd45280e4e..880d01bf72 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml +@@ -1,6 +1,6 @@ + {{{ oval_check_config_file( + path="/etc/audit/auditd.conf", +- prefix_regex="^(?:.*\\n)*\s*", ++ prefix_regex="^[ \\t]*(?i)", + parameter="overflow_action", +- value="syslog|single|halt", +- separator_regex="\s*=\s*") }}} ++ value="(?i)(syslog|single|halt)(?-i)", ++ separator_regex="(?-i)[ \\t]*=[ \\t]*") }}} diff --git a/SOURCES/scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch b/SOURCES/scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch new file mode 100644 index 0000000..07bee80 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch @@ -0,0 +1,21 @@ +From df11870dd23bc5ada56acd89610c6498cbc5bc35 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 26 Jul 2021 11:49:30 +0200 +Subject: [PATCH] Add bios_enable_execution_restrictions SRG reference + +--- + .../enable_nx/bios_enable_execution_restrictions/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +index b037e374f5..99f2c739c9 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +@@ -31,6 +31,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + nist: SC-39,CM-6(a) + nist-csf: PR.IP-1 ++ srg: SRG-OS-000433-GPOS-00192 + stig@rhel8: RHEL-08-010420 + + platform: machine diff --git a/SOURCES/scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch b/SOURCES/scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch new file mode 100644 index 0000000..c12c561 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch @@ -0,0 +1,139 @@ +From 44976b5fda0f34e78a0a0764add645212bd4e26d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 11:08:56 +0200 +Subject: [PATCH 1/4] remove automated: yes for 1.1.6, rule is missing + +--- + controls/cis_rhel7.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml +index 6a333693fb..7298158ad3 100644 +--- a/controls/cis_rhel7.yml ++++ b/controls/cis_rhel7.yml +@@ -95,8 +95,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes +-# rules: ++ automated: no # rule missing + + - id: 1.1.7 + title: Ensure noexec option set on /dev/shm partition (Automated) + +From 4dcbe4b2d4a9c14527edd06e90809630877d97aa Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 11:21:20 +0200 +Subject: [PATCH 2/4] add rule for 3.5.1.5 - firewalld default zone + +--- + controls/cis_rhel7.yml | 4 +++- + .../ruleset_modifications/set_firewalld_default_zone/rule.yml | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml +index 7298158ad3..0f3cec2a83 100644 +--- a/controls/cis_rhel7.yml ++++ b/controls/cis_rhel7.yml +@@ -1022,7 +1022,9 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: no # no exact rule is present ++ automated: yes ++ rules: ++ - set_firewalld_default_zone + + - id: 3.5.1.6 + title: Ensure network interfaces are assigned to appropriate zone (Manual) +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +index 48de06c5bc..f4d78fb7a1 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +@@ -27,6 +27,7 @@ identifiers: + + references: + cis-csc: 11,14,3,9 ++ cis@rhel7: 3.5.1.5 + cis@rhel8: 3.4.2.4 + cis@sle15: 3.5.1.5 + cjis: 5.10.1 + +From a13a796ee8c33ae98e93072bfc7ee15182bdfb5c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 11:45:52 +0200 +Subject: [PATCH 3/4] partially cover 5.5.1.4 + +--- + controls/cis_rhel7.yml | 5 ++++- + .../account_disable_post_pw_expiration/rule.yml | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml +index 0f3cec2a83..78ac34817f 100644 +--- a/controls/cis_rhel7.yml ++++ b/controls/cis_rhel7.yml +@@ -1966,7 +1966,10 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: no # rule missing ++ automated: partially # we do not check /et/shadow ++ rules: ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 + + - id: 5.5.1.5 + title: Ensure all users last password change date is in the past (Automated) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +index 310e234d43..a3d81cf73f 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +@@ -34,7 +34,7 @@ identifiers: + + references: + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 +- cis@rhel7: 5.4.1.4 ++ cis@rhel7: 5.5.1.4 + cis@rhel8: 5.5.1.4 + cis@ubuntu2004: 5.4.1.4 + cjis: 5.6.2.1.1 + +From 31ecc1b5806e7bc14199904b0a4e4d7b027ef7c4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 11:52:09 +0200 +Subject: [PATCH 4/4] automate 6.2.5 + +--- + controls/cis_rhel7.yml | 4 +++- + .../account_expiration/account_unique_name/rule.yml | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml +index 78ac34817f..672b96cbeb 100644 +--- a/controls/cis_rhel7.yml ++++ b/controls/cis_rhel7.yml +@@ -2205,7 +2205,9 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: no # rule missing ++ automated: yes ++ rules: ++ - account_unique_name + + - id: 6.2.6 + title: Ensure no duplicate group names exist (Automated) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 484b3c4f90..5f6377f194 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -20,6 +20,7 @@ identifiers: + cce@rhel9: CCE-83628-8 + + references: ++ cis@rhel7: 6.2.5 + cis@rhel8: 6.2.17 + cjis: 5.5.2 + disa: CCI-000770,CCI-000804 diff --git a/SOURCES/scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch b/SOURCES/scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch new file mode 100644 index 0000000..dacaa20 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch @@ -0,0 +1,20 @@ +From 9bb002a6870f255a8e4934fab0d1b44893f818bc Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 23 Aug 2021 12:29:13 +0200 +Subject: [PATCH] disable_ctrlaltdel_reboot: disable service before masking + during test scenario setup. + +--- + .../disable_ctrlaltdel_reboot/tests/masked.pass.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh +index cc333ea2e9e..b56b59b2fd2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora + ++systemctl disable --now ctrl-alt-del.target + systemctl mask --now ctrl-alt-del.target diff --git a/SOURCES/scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch b/SOURCES/scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch new file mode 100644 index 0000000..369db79 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch @@ -0,0 +1,28 @@ +From 030557e3c4b48f568f6fef7de36de4dca6c66838 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 29 Jul 2021 19:02:11 +0200 +Subject: [PATCH] Ensure test scenarios and scripts are excutable + +After Jinja processing the test scenarios and test helper scripts they +lose their original permissions. This ensures they are readable and +executable. + +The helper scripts are called by test scenarios and they need to be +executable. +--- + tests/ssg_test_suite/common.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/ssg_test_suite/common.py b/tests/ssg_test_suite/common.py +index 3dbeaf304a..130e5c960c 100644 +--- a/tests/ssg_test_suite/common.py ++++ b/tests/ssg_test_suite/common.py +@@ -245,6 +245,8 @@ def _make_file_root_owned(tarinfo): + if tarinfo: + tarinfo.uid = 0 + tarinfo.gid = 0 ++ # set permission to 775 ++ tarinfo.mode = 509 + return tarinfo + + diff --git a/SOURCES/scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch b/SOURCES/scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch new file mode 100644 index 0000000..6fba0f7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch @@ -0,0 +1,114 @@ +From 859684c560e948a439029b0d180fe23659d85141 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 10 Aug 2021 12:04:16 +0200 +Subject: [PATCH] Remove inexistent and/or duplicated STIG references. + +--- + .../package_xorg-x11-server-common_removed/rule.yml | 1 - + .../accounts_password_pam_unix_remember/rule.yml | 1 - + .../audit_rules_sysadmin_actions/rule.yml | 1 - + .../file_ownership_var_log_audit/rule.yml | 1 - + .../auditd_data_retention_space_left_action/rule.yml | 2 +- + .../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 1 - + .../rule.yml | 2 +- + .../crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml | 1 - + 8 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index de8f0f6fd8..6e739d21a2 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -42,7 +42,6 @@ references: + nist-csf: PR.AC-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040730 +- stigid@rhel8: RHEL-08-040320 + + ocil_clause: 'the X Windows package group or xorg-x11-server-common has not be removed' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +index 9138681688..a2b66fc4d6 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +@@ -50,7 +50,6 @@ references: + srg: SRG-OS-000077-GPOS-00045 + stigid@ol7: OL07-00-010270 + stigid@rhel7: RHEL-07-010270 +- stigid@rhel8: RHEL-08-020220 + stigid@sle15: SLES-15-020250 + stigid@ubuntu2004: UBTU-20-010070 + vmmsrg: SRG-OS-000077-VMM-000440 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +index 12bca676d8..b4291e168c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +@@ -50,7 +50,6 @@ references: + srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,CCI-002884,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221 + stigid@ol7: OL07-00-030700 + stigid@rhel7: RHEL-07-030700 +- stigid@rhel8: RHEL-08-030172 + stigid@sle15: SLES-15-030140 + vmmsrg: SRG-OS-000462-VMM-001840,SRG-OS-000471-VMM-001910 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +index 956beef52b..96bc0fa0b8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +@@ -35,7 +35,6 @@ references: + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 + stigid@ol7: OL07-00-910055 + stigid@rhel7: RHEL-07-910055 +- stigid@rhel8: RHEL-08-030080 + + ocil: |- + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index 6e30f1c4ac..7569a6776b 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -53,7 +53,7 @@ references: + srg: SRG-OS-000343-GPOS-00134 + stigid@ol7: OL07-00-030340 + stigid@rhel7: RHEL-07-030340 +- stigid@rhel8: RHEL-08-030730 ++ stigid@rhel8: RHEL-08-030731 + stigid@ubuntu2004: UBTU-20-010217 + vmmsrg: SRG-OS-000343-VMM-001240 + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +index 0aa310d924..682ca436b8 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +@@ -30,7 +30,6 @@ references: + disa: CCI-001453 + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 +- stigid@rhel8: RHEL-08-010291 + + ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +index b56f2421f2..e904bc848c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +@@ -30,7 +30,7 @@ references: + disa: CCI-001453 + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 +- stigid@rhel8: RHEL-08-010290 ++ stigid@rhel8: RHEL-08-010291 + + ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml +index 1aeb987db2..d21f68ac17 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml +@@ -28,7 +28,6 @@ references: + disa: CCI-001453 + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 +- stigid@rhel8: RHEL-08-010290 + + ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' + diff --git a/SOURCES/scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch b/SOURCES/scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch new file mode 100644 index 0000000..b2a5501 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch @@ -0,0 +1,53 @@ +From a9660f01ecd85240df9460f141387dd2874eba82 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Fri, 9 Jul 2021 16:15:28 +0200 +Subject: [PATCH] Bug 1857179 - Improved ansible fix for banner files. Replace + files only when necessary. + +--- + .../banner_etc_issue/ansible/shared.yml | 12 +++--------- + .../banner_etc_motd/ansible/shared.yml | 12 +++--------- + 2 files changed, 6 insertions(+), 18 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index ff6b6eab42b..4f6d64fd7ac 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -5,13 +5,7 @@ + # disruption = medium + {{{ ansible_instantiate_variables("login_banner_text") }}} + +-- name: "{{{ rule_title }}} - remove incorrect banner" +- file: +- state: absent +- path: /etc/issue +- +-- name: "{{{ rule_title }}} - add correct banner" +- lineinfile: ++- name: "{{{ rule_title }}} - ensure correct banner" ++ copy: + dest: /etc/issue +- line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' +- create: yes ++ content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +index 15eb3cc1cbd..2c645889336 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +@@ -5,13 +5,7 @@ + # disruption = medium + {{{ ansible_instantiate_variables("login_banner_text") }}} + +-- name: "{{{ rule_title }}} - remove incorrect banner" +- file: +- state: absent +- path: /etc/motd +- +-- name: "{{{ rule_title }}} - add correct banner" +- lineinfile: ++- name: "{{{ rule_title }}} - ensure correct banner" ++ copy: + dest: /etc/motd +- line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' +- create: yes ++ content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' diff --git a/SOURCES/scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch b/SOURCES/scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch new file mode 100644 index 0000000..d05e7c4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch @@ -0,0 +1,58 @@ +From 1dcdad51a48c17dd5dbb7eb9bbb8cef23cf00e29 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 23 Aug 2021 10:26:39 +0200 +Subject: [PATCH] Fix remaining audit rule files permissions. + +--- + .../audit_rules_immutable/ansible/shared.yml | 1 + + .../audit_rules_immutable/bash/shared.sh | 1 + + shared/templates/audit_file_contents/ansible.template | 5 +++++ + shared/templates/audit_file_contents/bash.template | 2 ++ + 4 files changed, 9 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 1cafb744cc3..736d4c333e4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -22,6 +22,7 @@ + path: "{{ item }}" + create: True + line: "-e 2" ++ mode: o-rwx + loop: + - "/etc/audit/audit.rules" + - "/etc/audit/rules.d/immutable.rules" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +index 29cd4a5de6f..36e0691493f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +@@ -20,4 +20,5 @@ do + echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE + echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE + echo '-e 2' >> $AUDIT_FILE ++ chmod o-rwx $AUDIT_FILE + done +diff --git a/shared/templates/audit_file_contents/ansible.template b/shared/templates/audit_file_contents/ansible.template +index c2852745451..a262386cfbf 100644 +--- a/shared/templates/audit_file_contents/ansible.template ++++ b/shared/templates/audit_file_contents/ansible.template +@@ -9,3 +9,8 @@ + contents=CONTENTS, + ) + }}} ++ ++- name: Remove any permissions from other group ++ file: ++ path: {{{ FILEPATH }}} ++ mode: o-rwx +diff --git a/shared/templates/audit_file_contents/bash.template b/shared/templates/audit_file_contents/bash.template +index f264be6f14d..d6277167892 100644 +--- a/shared/templates/audit_file_contents/bash.template ++++ b/shared/templates/audit_file_contents/bash.template +@@ -11,4 +11,6 @@ + ) + }}} + ++chmod o-rwx {{{ FILEPATH }}} ++ + augenrules --load diff --git a/SOURCES/scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch b/SOURCES/scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch new file mode 100644 index 0000000..c609d07 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch @@ -0,0 +1,702 @@ +From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 9 Jul 2021 14:41:03 +0200 +Subject: [PATCH 01/12] ensure that higher policy levels can override variables + of lower levels + +--- + ssg/controls.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 297d80e46c5..165cdf0511a 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id): + + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] +- for c in all_policy_controls: +- if len(level_ids.intersection(c.levels)) > 0: +- eligible_controls.append(c) ++ defined_variables = [] ++ # we will go level by level, from top to bottom ++ # this is done to enable overriding of variables by higher levels ++ for lv in level_ids: ++ for c in all_policy_controls: ++ if lv in c.levels: ++ # if the control has a variable, check if it is not already defined ++ if c.variables.keys().isdisjoint(defined_variables): ++ eligible_controls.append(c) ++ defined_variables += [*c.variables.keys()] + return eligible_controls + + def get_all_controls(self, policy_id): + +From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 14:02:25 +0200 +Subject: [PATCH 02/12] use ordered sets emulated by ordereddict + +because of compatibility with python2 +--- + ssg/controls.py | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 165cdf0511a..611a647e125 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -2,6 +2,7 @@ + import logging + import os + from glob import glob ++from collections import OrderedDict + + import ssg.build_yaml + import ssg.yaml +@@ -152,16 +153,18 @@ def get_level(self, level_id): + raise ValueError(msg) + + def get_level_with_ancestors(self, level_id): +- levels = set() ++ # use OrderedDict for Python2 compatibility instead of ordered set ++ levels = OrderedDict() + level = self.get_level(level_id) +- levels.add(level) ++ levels[level] = "" + if level.inherits_from: + for lv in level.inherits_from: +- levels.update(self.get_level_with_ancestors(lv)) ++ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()] ++ for l in eligible_levels: ++ levels[l] = "" + return levels + + +- + class ControlsManager(): + def __init__(self, controls_dir, env_yaml=None): + self.controls_dir = os.path.abspath(controls_dir) +@@ -198,20 +201,24 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- level_ids = set([lv.id for lv in levels]) ++ # we use OrderedDict here with empty values instead of ordered set ++ # cause we want to be compatible with python 2 ++ level_ids = OrderedDict() ++ for lv in levels.keys(): ++ level_ids[lv.id] = "" + + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in level_ids: ++ for lv in level_ids.keys(): + for c in all_policy_controls: + if lv in c.levels: + # if the control has a variable, check if it is not already defined + if c.variables.keys().isdisjoint(defined_variables): + eligible_controls.append(c) +- defined_variables += [*c.variables.keys()] ++ defined_variables += list(c.variables.keys()) + return eligible_controls + + def get_all_controls(self, policy_id): + +From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:30:10 +0200 +Subject: [PATCH 03/12] rework handling of variables when returning all + controls of a level + +currently only the top most level variables are kept in the controls +if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control +the original control stays in tact +--- + ssg/controls.py | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 611a647e125..4ebb8bda3d7 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -1,8 +1,8 @@ + import collections + import logging + import os ++import copy + from glob import glob +-from collections import OrderedDict + + import ssg.build_yaml + import ssg.yaml +@@ -154,7 +154,7 @@ def get_level(self, level_id): + + def get_level_with_ancestors(self, level_id): + # use OrderedDict for Python2 compatibility instead of ordered set +- levels = OrderedDict() ++ levels = collections.OrderedDict() + level = self.get_level(level_id) + levels[level] = "" + if level.inherits_from: +@@ -201,24 +201,39 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) ++ print ("getting levels of " + level_id) ++ print ([ l.id for l in levels.keys()]) + # we use OrderedDict here with empty values instead of ordered set + # cause we want to be compatible with python 2 +- level_ids = OrderedDict() ++ level_ids = collections.OrderedDict() + for lv in levels.keys(): + level_ids[lv.id] = "" +- ++ print (level_ids.keys()) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels + for lv in level_ids.keys(): ++ print ("going through level " +lv) + for c in all_policy_controls: ++ print (c.levels) + if lv in c.levels: + # if the control has a variable, check if it is not already defined +- if c.variables.keys().isdisjoint(defined_variables): ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) +- defined_variables += list(c.variables.keys()) ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) ++ eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:31:25 +0200 +Subject: [PATCH 04/12] add tests for defining of variables + +--- + tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++ + tests/unit/ssg-module/test_controls.py | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index aded77c12a6..b98a7cd4e19 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -19,10 +19,14 @@ controls: + - id: S2 + levels: + - low ++ rules: ++ - var_password_pam_minlen=1 + + - id: S3 + levels: + - medium ++ rules: ++ - var_password_pam_minlen=2 + + - id: S4 + title: Configure authentication +@@ -36,3 +40,5 @@ controls: + title: Enforce password quality standards + levels: + - high ++ rules: ++ - var_password_pam_minlen=3 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index ff9b04f26c9..06fcb0c375d 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -87,6 +87,11 @@ def test_controls_levels(): + assert len(low_controls) == 4 + assert len(medium_controls) == 5 + ++ # test overriding of variables in levels ++ assert c_2.variables["var_password_pam_minlen"] == "1" ++ assert c_3.variables["var_password_pam_minlen"] == "2" ++ assert c_4b.variables["var_password_pam_minlen"] == "3" ++ + + def test_controls_load_product(): + ssg_root = \ + +From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 6 Aug 2021 09:30:47 +0200 +Subject: [PATCH 05/12] make overriding of variables optional + +--- + ssg/controls.py | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 4ebb8bda3d7..90639fbe4c7 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -198,42 +198,42 @@ def _get_policy(self, policy_id): + raise ValueError(msg) + return policy + +- def get_all_controls_of_level(self, policy_id, level_id): ++ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): ++ # if override_vars is enabled, then variables from higher levels will ++ # override variables efined in controls of lower levels + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- print ("getting levels of " + level_id) +- print ([ l.id for l in levels.keys()]) + # we use OrderedDict here with empty values instead of ordered set + # cause we want to be compatible with python 2 + level_ids = collections.OrderedDict() + for lv in levels.keys(): + level_ids[lv.id] = "" +- print (level_ids.keys()) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels + for lv in level_ids.keys(): +- print ("going through level " +lv) + for c in all_policy_controls: +- print (c.levels) + if lv in c.levels: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: ++ if override_vars == False: + eligible_controls.append(c) +- for var in variables: +- if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) +- else: +- defined_variables.append(var) ++ else: ++ # if the control has a variable, check if it is not already defined ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) ++ eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 12:38:42 +0200 +Subject: [PATCH 06/12] fix a typo + +--- + ssg/controls.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 90639fbe4c7..10a304bf8c2 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -200,7 +200,7 @@ def _get_policy(self, policy_id): + + def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): + # if override_vars is enabled, then variables from higher levels will +- # override variables efined in controls of lower levels ++ # override variables defined in controls of lower levels + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) + # we use OrderedDict here with empty values instead of ordered set + +From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 17:02:11 +0200 +Subject: [PATCH 07/12] update tests to check that overriding of variables + works + +--- + .../ssg-module/data/controls_dir/abcd-levels.yml | 4 +--- + tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++-- + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index b98a7cd4e19..99efafd832e 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -25,8 +25,6 @@ controls: + - id: S3 + levels: + - medium +- rules: +- - var_password_pam_minlen=2 + + - id: S4 + title: Configure authentication +@@ -41,4 +39,4 @@ controls: + levels: + - high + rules: +- - var_password_pam_minlen=3 ++ - var_password_pam_minlen=2 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index 06fcb0c375d..124b344d141 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -89,8 +89,20 @@ def test_controls_levels(): + + # test overriding of variables in levels + assert c_2.variables["var_password_pam_minlen"] == "1" +- assert c_3.variables["var_password_pam_minlen"] == "2" +- assert c_4b.variables["var_password_pam_minlen"] == "3" ++ assert "var_password_pam_minlen" not in c_3.variables.keys() ++ assert c_4b.variables["var_password_pam_minlen"] == "2" ++ ++ for c in low_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "1" ++ ++ for c in medium_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "1" ++ ++ for c in high_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "2" + + + def test_controls_load_product(): + +From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 17:02:32 +0200 +Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting + controls of a certain level + +--- + ssg/controls.py | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 10a304bf8c2..7923f0cb379 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -198,9 +198,7 @@ def _get_policy(self, policy_id): + raise ValueError(msg) + return policy + +- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): +- # if override_vars is enabled, then variables from higher levels will +- # override variables defined in controls of lower levels ++ def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) + # we use OrderedDict here with empty values instead of ordered set +@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): + for lv in level_ids.keys(): + for c in all_policy_controls: + if lv in c.levels: +- if override_vars == False: ++ # if the control has a variable, check if it is not already defined ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) +- else: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: ++ continue ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) + eligible_controls.append(c) +- for var in variables: +- if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) +- else: +- defined_variables.append(var) +- eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 15:30:39 +0200 +Subject: [PATCH 09/12] get rid of one ordereddict + +--- + ssg/controls.py | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 7923f0cb379..891b13c891c 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -201,19 +201,14 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- # we use OrderedDict here with empty values instead of ordered set +- # cause we want to be compatible with python 2 +- level_ids = collections.OrderedDict() +- for lv in levels.keys(): +- level_ids[lv.id] = "" + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in level_ids.keys(): ++ for lv in levels.keys(): + for c in all_policy_controls: +- if lv in c.levels: ++ if lv.id in c.levels: + # if the control has a variable, check if it is not already defined + variables = list(c.variables.keys()) + if len(variables) == 0: + +From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 16:44:57 +0200 +Subject: [PATCH 10/12] fix overriding of variables + +when there were multiple variables overridden, it caused problems by creating multiple copies of controls +--- + ssg/controls.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 891b13c891c..8b69676313c 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id): + if len(variables) == 0: + eligible_controls.append(c) + continue ++ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control + for var in variables: + if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) ++ variables_to_remove.append(var) + else: + defined_variables.append(var) +- eligible_controls.append(c) ++ if len(variables_to_remove) == 0: ++ eligible_controls.append(c) ++ else: ++ new_c = copy.deepcopy(c) ++ for var in variables_to_remove: ++ del new_c.variables[var] ++ eligible_controls.append(new_c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 16:45:38 +0200 +Subject: [PATCH 11/12] extended tests to test for multiple overridden + variables + +--- + .../data/controls_dir/abcd-levels.yml | 2 ++ + tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index 99efafd832e..2e60ec43532 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -21,6 +21,7 @@ controls: + - low + rules: + - var_password_pam_minlen=1 ++ - var_some_variable=1 + + - id: S3 + levels: +@@ -40,3 +41,4 @@ controls: + - high + rules: + - var_password_pam_minlen=2 ++ - var_some_variable=3 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index 124b344d141..1465661b04a 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -104,6 +104,25 @@ def test_controls_levels(): + if "var_password_pam_minlen" in c.variables.keys(): + assert c.variables["var_password_pam_minlen"] == "2" + ++ # now test if controls of lower level has the variable definition correctly removed ++ # because it is overriden by higher level controls ++ s2_high = [c for c in high_controls if c.id == "S2"] ++ assert len(s2_high) == 1 ++ assert "var_some_variable" not in s2_high[0].variables.keys() ++ assert "var_password_pam_minlen" not in s2_high[0].variables.keys() ++ s4b_high = [c for c in high_controls if c.id == "S4.b"] ++ assert len(s4b_high) == 1 ++ assert s4b_high[0].variables["var_some_variable"] == "3" ++ assert s4b_high[0].variables["var_password_pam_minlen"] == "2" ++ ++ # check that in low level the variable is correctly placed there in S2 ++ s2_low = [c for c in low_controls if c.id == "S2"] ++ assert len(s2_low) == 1 ++ assert s2_low[0].variables["var_some_variable"] == "1" ++ assert s2_low[0].variables["var_password_pam_minlen"] == "1" ++ ++ ++ + + def test_controls_load_product(): + ssg_root = \ + +From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 10:39:22 +0200 +Subject: [PATCH 12/12] Style improvements + +- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence, + and made it return a list - a dictionary result is quite confusing. +- Removed some optimization in the variable deletion loops. +- Extracted functionality to a _get_control_without_variables static + method. +- Defined variable removal steps using set operations. +--- + ssg/controls.py | 54 +++++++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 26 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 8b69676313c..ca3187d5b16 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -152,17 +152,17 @@ def get_level(self, level_id): + ) + raise ValueError(msg) + +- def get_level_with_ancestors(self, level_id): ++ def get_level_with_ancestors_sequence(self, level_id): + # use OrderedDict for Python2 compatibility instead of ordered set + levels = collections.OrderedDict() + level = self.get_level(level_id) + levels[level] = "" + if level.inherits_from: + for lv in level.inherits_from: +- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()] ++ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()] + for l in eligible_levels: + levels[l] = "" +- return levels ++ return list(levels.keys()) + + + class ControlsManager(): +@@ -200,35 +200,37 @@ def _get_policy(self, policy_id): + + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) +- levels = policy.get_level_with_ancestors(level_id) ++ levels = policy.get_level_with_ancestors_sequence(level_id) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] +- defined_variables = [] ++ already_defined_variables = set() + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in levels.keys(): +- for c in all_policy_controls: +- if lv.id in c.levels: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: +- eligible_controls.append(c) +- continue +- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control +- for var in variables: +- if var in defined_variables: +- variables_to_remove.append(var) +- else: +- defined_variables.append(var) +- if len(variables_to_remove) == 0: +- eligible_controls.append(c) +- else: +- new_c = copy.deepcopy(c) +- for var in variables_to_remove: +- del new_c.variables[var] +- eligible_controls.append(new_c) ++ for lv in levels: ++ for control in all_policy_controls: ++ if lv.id not in control.levels: ++ continue ++ ++ variables = set(control.variables.keys()) ++ ++ variables_to_remove = variables.intersection(already_defined_variables) ++ already_defined_variables.update(variables) ++ ++ new_c = self._get_control_without_variables(variables_to_remove, control) ++ eligible_controls.append(new_c) ++ + return eligible_controls + ++ @staticmethod ++ def _get_control_without_variables(variables_to_remove, control): ++ if not variables_to_remove: ++ return control ++ ++ new_c = copy.deepcopy(control) ++ for var in variables_to_remove: ++ del new_c.variables[var] ++ return new_c ++ + def get_all_controls(self, policy_id): + policy = self._get_policy(policy_id) + return policy.controls_by_id.values() diff --git a/SOURCES/scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch b/SOURCES/scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch new file mode 100644 index 0000000..8482645 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch @@ -0,0 +1,43 @@ +From 90cbb9fc2662cd2b7652d1f012ece74e8cf41c5d Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 9 Aug 2021 15:22:59 +0200 +Subject: [PATCH 1/2] Add SRG for sssd_enable_certmap + +--- + linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml +index 0614a2f4a0..67c02f4fb7 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml +@@ -28,6 +28,7 @@ identifiers: + references: + disa: CCI-000187 + nist: IA-5 (2) (c) ++ srg: SRG-OS-000068-GPOS-00036 + stigid@rhel8: RHEL-08-020090 + + warnings: + +From b15299568849111d142c27f99dff7052afd96c07 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 9 Aug 2021 15:23:16 +0200 +Subject: [PATCH 2/2] Add SRG for accounts_password_pam_dictcheck + +--- + .../accounts_password_pam_dictcheck/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +index 2990150c0a..5956718a70 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +@@ -27,6 +27,7 @@ identifiers: + references: + disa: CCI-000366 + nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) ++ srg: SRG-OS-000480-GPOS-00225 + stigid@rhel8: RHEL-08-020300 + + ocil_clause: 'dictcheck is not found or not equal to the required value' diff --git a/SOURCES/scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch b/SOURCES/scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch new file mode 100644 index 0000000..6fe76c2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch @@ -0,0 +1,22 @@ +From 3866ba4f0ce678b68de0ff5f1dc7edbea6a904bb Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 23 Aug 2021 12:10:01 +0200 +Subject: [PATCH] Fix RHEL7 documentation link. + +--- + .../screen_locking/smart_card_login/smartcard_auth/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +index 62a343cf39..8153b31177 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +@@ -8,7 +8,7 @@ description: |- + To enable smart card authentication, consult the documentation at: +
    + {{% if product == "rhel7" %}} +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}
  • ++
  • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards#authconfig-smartcards") }}}
  • + {{% elif product == "ol7" %}} +
  • {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}
  • + {{% endif %}} diff --git a/SOURCES/scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch b/SOURCES/scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch new file mode 100644 index 0000000..7734df6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch @@ -0,0 +1,160 @@ +From ac416fb6b73135b6fdeae850740ca4e10ad9fa1e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 18 Aug 2021 15:16:59 +0200 +Subject: [PATCH] Fix RHEL7 documentation links. + +--- + linux_os/guide/services/ldap/openldap_client/group.yml | 2 +- + linux_os/guide/services/ldap/openldap_server/group.yml | 2 +- + .../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | 2 +- + .../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml | 2 +- + linux_os/guide/services/ntp/group.yml | 2 +- + .../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml | 2 +- + linux_os/guide/services/sssd/group.yml | 2 +- + .../screen_locking/smart_card_login/smartcard_auth/rule.yml | 4 +--- + linux_os/guide/system/auditing/group.yml | 2 +- + .../software/disk_partitioning/encrypt_partitions/rule.yml | 2 +- + .../guide/system/software/gnome/gnome_login_screen/group.yml | 2 +- + 11 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml +index bf17a053cd5..a64f105395f 100644 +--- a/linux_os/guide/services/ldap/openldap_client/group.yml ++++ b/linux_os/guide/services/ldap/openldap_client/group.yml +@@ -13,7 +13,7 @@ description: |- + files, which is useful when trying to use SSL cleanly across several protocols. + Installation and configuration of OpenLDAP on {{{ full_name }}} is available at + {{% if product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. + {{% elif product == "ol7" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s9-auth") }}}. + {{% endif %}} +diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml +index c180820e9fc..d571867a7f8 100644 +--- a/linux_os/guide/services/ldap/openldap_server/group.yml ++++ b/linux_os/guide/services/ldap/openldap_server/group.yml +@@ -7,5 +7,5 @@ description: |- + for an OpenLDAP server. + {{% if product == "rhel7" %}} + Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at: +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. + {{% endif %}} +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +index 8f939356ab1..7dc188589ee 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +@@ -14,7 +14,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for more detailed comparison of the features of both of the choices, and for + further guidance how to choose between the two NTP daemons. +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 503aecc0de2..27df8595efa 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -14,7 +14,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for more detailed comparison of the features of both of the choices, and for + further guidance how to choose between the two NTP daemons. +diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml +index 181b10dfd65..b944ee03116 100644 +--- a/linux_os/guide/services/ntp/group.yml ++++ b/linux_os/guide/services/ntp/group.yml +@@ -54,7 +54,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% elif product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% elif "ubuntu" in product %}} + {{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}} + {{% elif "debian" in product %}} +diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +index 065cf301b95..00739816f5e 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +@@ -17,7 +17,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for guidance which NTP daemon to choose depending on the environment used. + +diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml +index 5b0caf7d64b..3f4eced7ca7 100644 +--- a/linux_os/guide/services/sssd/group.yml ++++ b/linux_os/guide/services/sssd/group.yml +@@ -11,7 +11,7 @@ description: |- +

    + For more information, see + {{%- if product == "rhel7" -%}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}} + {{%- elif product == "rhel8" -%}} + {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#sssd-deployment-operations_install-client-basic") }}} + {{%- elif product == "ol7" -%}} +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +index fc7f149bf40..62a343cf396 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +@@ -8,9 +8,7 @@ description: |- + To enable smart card authentication, consult the documentation at: +
      + {{% if product == "rhel7" %}} +-
    • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}
    • +- {{% elif product == "rhel8" %}} +-
    • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}
    • ++
    • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}
    • + {{% elif product == "ol7" %}} +
    • {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}
    • + {{% endif %}} +diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml +index 82f87e81c47..5fce88db032 100644 +--- a/linux_os/guide/system/auditing/group.yml ++++ b/linux_os/guide/system/auditing/group.yml +@@ -38,7 +38,7 @@ description: |- + Examining some example audit records demonstrates how the Linux audit system + satisfies common requirements. + The following example from Fedora Documentation available at +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}} + shows the substantial amount of information captured in a + two typical "raw" audit messages, followed by a breakdown of the most important + fields. In this example the message is SELinux-related and reports an AVC +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index add0a41fa94..cd07fb4c0ca 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -38,7 +38,7 @@ description: |- + {{% elif product in ["sle12", "sle15"] %}} + {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} + {{% elif product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}}. + {{% else %}} + {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}. + {{% endif %}} +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml +index 8e8b32f1d79..299b96c0592 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml +@@ -14,5 +14,5 @@ description: |- + the man page dconf(1). + {{% else %}} + For more information about enforcing preferences in the GNOME3 environment using the DConf +- configuration system, see {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html") }}}/> and the man page dconf(1). ++ configuration system, see {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide") }}}/> and the man page dconf(1). + {{% endif %}} diff --git a/SOURCES/scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch b/SOURCES/scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch new file mode 100644 index 0000000..9624ae7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch @@ -0,0 +1,27 @@ +From a032960b4fb8e50386fa02739b6b107b233b64ca Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 2 Aug 2021 18:39:58 +0200 +Subject: [PATCH] Fix a python2 issue with STIG overlay generation. + +--- + utils/create-stig-overlay.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py +index 02deb0b5b2..5d4bb835ca 100755 +--- a/utils/create-stig-overlay.py ++++ b/utils/create-stig-overlay.py +@@ -107,7 +107,12 @@ def new_stig_overlay(xccdftree, ssgtree, outfile, quiet): + lines = new_stig_overlay.findall("overlay") + new_stig_overlay[:] = sorted(lines, key=getkey) + +- dom = xml.dom.minidom.parseString(ET.tostring(new_stig_overlay, encoding="UTF-8", xml_declaration=True)) ++ try: ++ et_str = ET.tostring(new_stig_overlay, encoding="UTF-8", xml_declaration=True) ++ except TypeError: ++ et_str = ET.tostring(new_stig_overlay, encoding="UTF-8") ++ ++ dom = xml.dom.minidom.parseString(et_str) + pretty_xml_as_string = dom.toprettyxml(indent=' ', encoding="UTF-8") + + overlay_directory = os.path.dirname(outfile) diff --git a/SOURCES/scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch b/SOURCES/scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch new file mode 100644 index 0000000..1c358ee --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch @@ -0,0 +1,4263 @@ +From 54a0e7e0c0d00eacf21f68492517db8968d4e0b2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 15:01:45 +0200 +Subject: [PATCH 01/31] Change fix_audit_syscall_rule to group syscalls + +The function actually separated the syscalls into individual lines. +* Improve and extend rule skeleton matching with more explicit rule + options for action, arch, auid and other filters. +* Make explicit the syscalls that can be grouped through the + 'syscall_groupings' parameter. +* Make they key to use more explicit, instead of implicit through + 'group'. +--- + .../fix_audit_syscall_rule.sh | 218 ++++++++---------- + .../bash.template | 26 ++- + .../audit_rules_dac_modification/template.py | 4 + + .../bash.template | 13 +- + .../template.py | 14 ++ + .../audit_rules_path_syscall/bash.template | 13 +- + .../audit_rules_path_syscall/template.py | 4 + + .../bash.template | 17 +- + .../template.py | 4 + + .../bash.template | 25 +- + .../template.py | 14 ++ + 11 files changed, 195 insertions(+), 157 deletions(-) + create mode 100644 shared/templates/audit_rules_file_deletion_events/template.py + create mode 100644 shared/templates/audit_rules_unsuccessful_file_modification/template.py + +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 4e16af2fb71..6bf5ac15436 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -10,40 +10,48 @@ + # + # for further details. + # +-# Expects five arguments (each of them is required) in the form of: ++# Expects seven arguments (each of them is required) in the form of: + # * audit tool tool used to load audit rules, + # either 'auditctl', or 'augenrules +-# * audit rules' pattern audit rule skeleton for same syscall +-# * syscall group greatest common string this rule shares +-# with other rules from the same group +-# * architecture architecture this rule is intended for +-# * full form of new rule to add expected full form of audit rule as to be +-# added into audit.rules file ++# * action_arch_filters The action and arch filters of the rule ++# For example, "-a always,exit -F arch=b64" ++# * other_filters Other filters that may characterize the rule: ++# For example, "-F a2&03 -F path=/etc/passwd" ++# * auid_filters The auid filters of the rule ++# For example, "-F auid>=1000 -F auid!=unset" ++# * syscall The syscall to ensure presense among audit rules ++# For example, "chown" ++# * syscall_groupings Other syscalls that can be grouped with 'syscall' ++# as a space separated list. ++# For example, "fchown lchown fchownat" ++# * key The key to use when appending a new rule + # +-# Note: The 2-th up to 4-th arguments are used to determine how many existing ++# Notes: ++# - The 2-nd up to 4-th arguments are used to determine how many existing + # audit rules will be inspected for resemblance with the new audit rule +-# (5-th argument) the function is going to add. The rule's similarity check +-# is performed to optimize audit.rules definition (merge syscalls of the same +-# group into one rule) to avoid the "single-syscall-per-audit-rule" performance +-# penalty. +-# +-# Example call: +-# +-# See e.g. 'audit_rules_file_deletion_events.sh' remediation script +-# ++# the function is going to add. ++# - The function's similarity check uses the 5-th argument to optimize audit ++# rules definitions (merge syscalls of the same group into one rule) to avoid ++# the "single-syscall-per-audit-rule" performance penalty. ++# - The key argument (7-th argument) is not used when the syscall is grouped to an ++# existing audit rule. The audit rule will retain the key it already had. ++ + function fix_audit_syscall_rule { + + # Load function arguments into local variables + local tool="$1" +-local pattern="$2" +-local group="$3" +-local arch="$4" +-local full_rule="$5" ++local action_arch_filters="$2" ++local other_filters="$3" ++local auid_filters="$4" ++local syscall="$5" ++local syscall_grouping ++read -a syscall_grouping <<< "$6" ++local key="$7" + + # Check sanity of the input +-if [ $# -ne "5" ] ++if [ $# -ne "7" ] + then +- echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" ++ echo "Usage: fix_audit_syscall_rule 'tool' 'action_arch_filters' 'other_filters' 'auid_filters' 'syscall' 'syscall_grouping' 'key'" + echo "Aborting." + exit 1 + fi +@@ -74,16 +82,17 @@ then + # file to the list of files to be inspected + elif [ "$tool" == 'auditctl' ] + then ++ default_file="/etc/audit/audit.rules" + files_to_inspect+=('/etc/audit/audit.rules' ) + # If audit tool is 'augenrules', then check if the audit rule is defined + # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection + # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection + elif [ "$tool" == 'augenrules' ] + then +- # Extract audit $key from audit rule so we can use it later + matches=() +- key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') +- readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) ++ default_file="/etc/audit/rules.d/${key}.rules" ++ # As other_filters may include paths, lets use a different delimiter for it ++ readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules) + if [ $? -ne 0 ] + then + retval=1 +@@ -106,115 +115,88 @@ then + fi + + # +-# Indicator that we want to append $full_rule into $audit_file by default ++# Indicator that we want to append $full_rule into $audit_file or edit a rule in it + local append_expected_rule=0 + + for audit_file in "${files_to_inspect[@]}" + do +- # Filter existing $audit_file rules' definitions to select those that: +- # * follow the rule pattern, and +- # * meet the hardware architecture requirement, and +- # * are current syscall group specific +- readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") ++ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, ++ # i.e, collect rules that match: ++ # * the action, list and arch, (2-nd argument) ++ # * the other filters, (3-rd argument) ++ # * the auid filters, (4-rd argument) ++ readarray -t similar_rules < <(sed -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" "$audit_file") + if [ $? -ne 0 ] + then + retval=1 + fi + +- # Process rules found case-by-case +- for rule in "${existing_rules[@]}" ++ local candidate_rules=() ++ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope ++ for s_rule in "${similar_rules[@]}" ++ do ++ # Strip all the options and fields we know of, ++ # than check if there was any field left over ++ extra_fields=$(sed -E -e "s/${action_arch_filters}//" -e "s#${other_filters}##" -e "s/${auid_filters}//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") ++ grep -q -- "-F" <<< "$extra_fields" ++ if [ $? -ne 0 ] ++ then ++ candidate_rules+=("$s_rule") ++ fi ++ done ++ ++ # Check if the syscall we want is present in any of the similar existing rules ++ for rule in "${candidate_rules[@]}" + do +- # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) +- if [ "${rule}" != "${full_rule}" ] ++ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) ++ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" ++ if [ $? -eq 0 ] + then +- # If so, isolate just '(-S \w)+' substring of that rule +- rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+') +- # Check if list of '-S syscall' arguments of that rule is subset +- # of '-S syscall' list of expected $full_rule +- if grep -q -- "$rule_syscalls" <<< "$full_rule" ++ # We found a rule with the syscall we want ++ return $retval ++ fi ++ ++ # Check if this rule can be grouped with our target syscall and keep track of it ++ for syscall_g in "${syscall_grouping[@]}" ++ do ++ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" + then +- # Rule is covered (i.e. the list of -S syscalls for this rule is +- # subset of -S syscalls of $full_rule => existing rule can be deleted +- # Thus delete the rule from audit.rules & our array +- sed -i -e "\;${rule};d" "$audit_file" +- if [ $? -ne 0 ] +- then +- retval=1 +- fi +- existing_rules=("${existing_rules[@]//$rule/}") +- else +- # Rule isn't covered by $full_rule - it besides -S syscall arguments +- # for this group contains also -S syscall arguments for other syscall +- # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' +- # since 'lchown' & 'fchownat' share 'chown' substring +- # Therefore: +- # * 1) delete the original rule from audit.rules +- # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) +- # * 2) delete the -S syscall arguments for this syscall group, but +- # keep those not belonging to this syscall group +- # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' +- # * 3) append the modified (filtered) rule again into audit.rules +- # if the same rule not already present +- # +- # 1) Delete the original rule +- sed -i -e "\;${rule};d" "$audit_file" +- if [ $? -ne 0 ] +- then +- retval=1 +- fi +- +- # 2) Delete syscalls for this group, but keep those from other groups +- # Convert current rule syscall's string into array splitting by '-S' delimiter +- IFS_BKP="$IFS" +- IFS=$'-S' +- read -a rule_syscalls_as_array <<< "$rule_syscalls" +- # Reset IFS back to default +- IFS="$IFS_BKP" +- # Splitting by "-S" can't be replaced by the readarray functionality easily +- +- # Declare new empty string to hold '-S syscall' arguments from other groups +- new_syscalls_for_rule='' +- # Walk through existing '-S syscall' arguments +- for syscall_arg in "${rule_syscalls_as_array[@]}" +- do +- # Skip empty $syscall_arg values +- if [ "$syscall_arg" == '' ] +- then +- continue +- fi +- # If the '-S syscall' doesn't belong to current group add it to the new list +- # (together with adding '-S' delimiter back for each of such item found) +- if grep -q -v -- "$group" <<< "$syscall_arg" +- then +- new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" +- fi +- done +- # Replace original '-S syscall' list with the new one for this rule +- updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} +- # Squeeze repeated whitespace characters in rule definition (if any) into one +- updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') +- # 3) Append the modified / filtered rule again into audit.rules +- # (but only in case it's not present yet to prevent duplicate definitions) +- if ! grep -q -- "$updated_rule" "$audit_file" +- then +- echo "$updated_rule" >> "$audit_file" +- fi ++ local file_to_edit=${audit_file} ++ local rule_to_edit=${rule} ++ local rule_syscalls_to_edit=${rule_syscalls} + fi +- else +- # $audit_file already contains the expected rule form for this +- # architecture & key => don't insert it second time +- append_expected_rule=1 +- fi ++ done + done ++done ++ ++ ++# We checked all rules that matched the expected resemblance patter (action, arch & auid) ++# At this point we know if we need to either append the $full_rule or group ++# the syscall together with an exsiting rule + +- # We deleted all rules that were subset of the expected one for this arch & key. +- # Also isolated rules containing system calls not from this system calls group. +- # Now append the expected rule if it's not present in $audit_file yet +- if [[ ${append_expected_rule} -eq "0" ]] ++# Append the full_rule if it cannot be grouped to any other rule ++if [ -z ${rule_to_edit+x} ] ++then ++ # Build full_rule while avoid adding double spaces when other_filters is empty ++ local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" ++ echo "$full_rule" >> "$default_file" ++else ++ # Check if the syscalls are declared as a comma separated list or ++ # as multiple -S parameters ++ if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then +- echo "$full_rule" >> "$audit_file" ++ new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}" ++ else ++ new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}" + fi +-done ++ ++ # Group the syscall in the rule ++ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" ++ if [ $? -ne 0 ] ++ then ++ retval=1 ++ fi ++fi + + return $retval + +diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template +index d64d264635c..b2de8d355e1 100644 +--- a/shared/templates/audit_rules_dac_modification/bash.template ++++ b/shared/templates/audit_rules_dac_modification/bash.template +@@ -9,25 +9,31 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>=.*" +- GROUP="perm_mod" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++ SYSCALL="{{{ ATTR }}}" ++ KEY="perm_mod" ++ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done + + + {{% if CHECK_ROOT_USER %}} + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0.*" +- GROUP="perm_mod" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="-F auid=0" ++ SYSCALL="{{{ ATTR }}}" ++ KEY="perm_mod" ++ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done + {{% endif %}} +diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py +index e12e9c27e56..7dc53e81f7d 100644 +--- a/shared/templates/audit_rules_dac_modification/template.py ++++ b/shared/templates/audit_rules_dac_modification/template.py +@@ -3,5 +3,9 @@ + + def preprocess(data, lang): + data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False) ++ if lang == "bash": ++ if "syscall_grouping" in data: ++ # Make it easier to tranform the syscall_grouping into a Bash array ++ data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + + return data +diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template +index 851b0fd43e3..b5b4c46a7cd 100644 +--- a/shared/templates/audit_rules_file_deletion_events/bash.template ++++ b/shared/templates/audit_rules_file_deletion_events/bash.template +@@ -9,10 +9,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}}.*" +- GROUP="delete" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++ SYSCALL="{{{ NAME }}}" ++ KEY="delete" ++ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py +new file mode 100644 +index 00000000000..7be137c1eb9 +--- /dev/null ++++ b/shared/templates/audit_rules_file_deletion_events/template.py +@@ -0,0 +1,14 @@ ++import ssg.utils ++ ++ ++def _audit_rules_file_deletion_events(data, lang): ++ if lang == "bash": ++ if "syscall_grouping" in data: ++ # Make it easier to tranform the syscall_grouping into a Bash array ++ data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ return data ++ ++ ++def preprocess(data, lang): ++ return _audit_rules_file_deletion_events(data, lang) ++ +diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template +index 656d168ddd2..676f6c37deb 100644 +--- a/shared/templates/audit_rules_path_syscall/bash.template ++++ b/shared/templates/audit_rules_path_syscall/bash.template +@@ -9,10 +9,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*" +- GROUP="modify" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-F {{{ POS }}}&03 -F path={{{ PATH }}}" ++ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++ SYSCALL="{{{ SYSCALL }}}" ++ KEY="user-modify" ++ SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py +index beb25a6e69d..7e0877a02b9 100644 +--- a/shared/templates/audit_rules_path_syscall/template.py ++++ b/shared/templates/audit_rules_path_syscall/template.py +@@ -7,4 +7,8 @@ def preprocess(data, lang): + # remove root slash made into '_' + pathid = pathid[1:] + data["pathid"] = pathid ++ elif lang == "bash": ++ if "syscall_grouping" in data: ++ # Make it easier to tranform the syscall_grouping into a Bash array ++ data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + return data +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index d03a92061cb..bd9d4d12484 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -1,16 +1,17 @@ + {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} +- {{%- set perm_x="-F perm=x " %}} ++ {{%- set perm_x=" -F perm=x " %}} + {{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" +-GROUP="privileged" +-# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +-ARCH="" +-FULL_RULE="-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged" ++ACTION_ARCH_FILTERS="-a always,exit" ++OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" ++AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++SYSCALL="{{{ ATTR }}}" ++KEY="privileged" ++SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +-fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +-fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" +diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py +index 444b2aab083..43302a6690a 100644 +--- a/shared/templates/audit_rules_privileged_commands/template.py ++++ b/shared/templates/audit_rules_privileged_commands/template.py +@@ -15,4 +15,8 @@ def preprocess(data, lang): + if npath[0] == '_': + npath = npath[1:] + data["normalized_path"] = npath ++ elif lang == "bash": ++ if "syscall_grouping" in data: ++ # Make it easier to tranform the syscall_grouping into a Bash array ++ data["syscall_grouping"] = " ".join(data["syscall_grouping"]) + return data +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template +index daf146f7eb5..4adaa86fd58 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template +@@ -7,22 +7,25 @@ + # Retrieve hardware architecture of the underlying system + [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + ++AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++SYSCALL="{{{ NAME }}}" ++KEY="access" ++SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" ++ + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES.*" +- GROUP="access" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-F exit=-EACCES" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM.*" +- GROUP="access" +- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-F exit=-EPERM" ++ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py +new file mode 100644 +index 00000000000..a4e58609f66 +--- /dev/null ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py +@@ -0,0 +1,14 @@ ++import ssg.utils ++ ++ ++def _audit_rules_unsuccessful_file_modification(data, lang): ++ if lang == "bash": ++ if "syscall_grouping" in data: ++ # Make it easier to tranform the syscall_grouping into a Bash array ++ data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ return data ++ ++ ++def preprocess(data, lang): ++ return _audit_rules_unsuccessful_file_modification(data, lang) ++ + +From 4c682eadba5ec03ed1204ba9d1b190634bd855d8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 15:32:18 +0200 +Subject: [PATCH 02/31] Set syscall grouping for chmod rules + +--- + .../audit_rules_dac_modification_chmod/rule.yml | 4 ++++ + .../audit_rules_dac_modification_fchmod/rule.yml | 4 ++++ + .../audit_rules_dac_modification_fchmodat/rule.yml | 4 ++++ + 3 files changed, 12 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index bc3e47523f5..07d37b18aa3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -76,3 +76,7 @@ template: + name: audit_rules_dac_modification + vars: + attr: chmod ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index ed4d88cb0c6..6c3cc5592ac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -74,3 +74,7 @@ template: + name: audit_rules_dac_modification + vars: + attr: fchmod ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index 2db3878939a..3e51d482a9c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -74,3 +74,7 @@ template: + name: audit_rules_dac_modification + vars: + attr: fchmodat ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat + +From eaaaa86b8a07082cdc92d967af09e0908ef22905 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 15:32:52 +0200 +Subject: [PATCH 03/31] Set syscall grouping for chown rules + +--- + .../audit_rules_dac_modification_chown/rule.yml | 5 +++++ + .../audit_rules_dac_modification_fchown/rule.yml | 5 +++++ + .../audit_rules_dac_modification_fchownat/rule.yml | 5 +++++ + .../audit_rules_dac_modification_lchown/rule.yml | 5 +++++ + 4 files changed, 20 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +index 6b3236cf953..e2d9944a3bb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +@@ -74,3 +74,8 @@ template: + name: audit_rules_dac_modification + vars: + attr: chown ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index 37dfb89ef29..d89875fcaab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -77,3 +77,8 @@ template: + name: audit_rules_dac_modification + vars: + attr: fchown ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index f75ac769d8d..e6caaeb5c9f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -74,3 +74,8 @@ template: + name: audit_rules_dac_modification + vars: + attr: fchownat ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index edc053bfb30..190509c0c8d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -74,3 +74,8 @@ template: + name: audit_rules_dac_modification + vars: + attr: lchown ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown + +From b1d747cb65e6e869be2b3c99d295cb6f75c98b61 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 15:33:21 +0200 +Subject: [PATCH 04/31] Set syscall groupings for set/remove xattr rules + +--- + .../audit_rules_dac_modification_fremovexattr/rule.yml | 7 +++++++ + .../audit_rules_dac_modification_fsetxattr/rule.yml | 7 +++++++ + .../audit_rules_dac_modification_lremovexattr/rule.yml | 7 +++++++ + .../audit_rules_dac_modification_lsetxattr/rule.yml | 7 +++++++ + .../audit_rules_dac_modification_removexattr/rule.yml | 7 +++++++ + .../audit_rules_dac_modification_setxattr/rule.yml | 7 +++++++ + 6 files changed, 42 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index 5bd1b25eafb..b9ad3c7942e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -93,3 +93,10 @@ template: + attr: fremovexattr + check_root_user@rhel8: "true" + check_root_user@rhel9: "true" ++ syscall_grouping: ++ - fremovexattr ++ - lremovexattr ++ - removexattr ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 410dd8a5efa..cedf05f9765 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -88,3 +88,10 @@ template: + attr: fsetxattr + check_root_user@rhel8: "true" + check_root_user@rhel9: "true" ++ syscall_grouping: ++ - fremovexattr ++ - lremovexattr ++ - removexattr ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index 947c768efd8..ffdacdf09e7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -93,3 +93,10 @@ template: + attr: lremovexattr + check_root_user@rhel8: "true" + check_root_user@rhel9: "true" ++ syscall_grouping: ++ - fremovexattr ++ - lremovexattr ++ - removexattr ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index ed1fd3715d2..3662262f674 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -86,3 +86,10 @@ template: + attr: lsetxattr + check_root_user@rhel8: "true" + check_root_user@rhel9: "true" ++ syscall_grouping: ++ - fremovexattr ++ - lremovexattr ++ - removexattr ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index 61e69432d1a..ac9d3492aad 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -92,3 +92,10 @@ template: + attr: removexattr + check_root_user@rhel8: "true" + check_root_user@rhel9: "true" ++ syscall_grouping: ++ - fremovexattr ++ - lremovexattr ++ - removexattr ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 12489a74a01..b661a1f99ae 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -88,3 +88,10 @@ template: + attr: setxattr + check_root_user@rhel8: "true" + check_root_user@rhel9: "true" ++ syscall_grouping: ++ - fremovexattr ++ - lremovexattr ++ - removexattr ++ - fsetxattr ++ - lsetxattr ++ - setxattr + +From 46a087995ffe3d49644d8e8adcbc9b1747947339 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 15:34:08 +0200 +Subject: [PATCH 05/31] Set syscall groupings for remove and delete rules + +--- + .../audit_rules_file_deletion_events_rename/rule.yml | 6 ++++++ + .../audit_rules_file_deletion_events_renameat/rule.yml | 6 ++++++ + .../audit_rules_file_deletion_events_rmdir/rule.yml | 6 ++++++ + .../audit_rules_file_deletion_events_unlink/rule.yml | 6 ++++++ + .../audit_rules_file_deletion_events_unlinkat/rule.yml | 6 ++++++ + 5 files changed, 30 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +index 9dd83f6dbae..d6dcb8694ad 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +@@ -59,3 +59,9 @@ template: + name: audit_rules_file_deletion_events + vars: + name: rename ++ syscall_grouping: ++ - unlink ++ - unlinkat ++ - rename ++ - renameat ++ - rmdir +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +index cd9aa9f5e61..5f583992c48 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +@@ -59,3 +59,9 @@ template: + name: audit_rules_file_deletion_events + vars: + name: renameat ++ syscall_grouping: ++ - unlink ++ - unlinkat ++ - rename ++ - renameat ++ - rmdir +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +index 6e0bb755b0d..5368c9dad58 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +@@ -57,3 +57,9 @@ template: + name: audit_rules_file_deletion_events + vars: + name: rmdir ++ syscall_grouping: ++ - unlink ++ - unlinkat ++ - rename ++ - renameat ++ - rmdir +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +index be4e328b7c8..ecdca27b14d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +@@ -59,3 +59,9 @@ template: + name: audit_rules_file_deletion_events + vars: + name: unlink ++ syscall_grouping: ++ - unlink ++ - unlinkat ++ - rename ++ - renameat ++ - rmdir +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +index eaf8f1e08bd..158d24dc708 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +@@ -59,3 +59,9 @@ template: + name: audit_rules_file_deletion_events + vars: + name: unlinkat ++ syscall_grouping: ++ - unlink ++ - unlinkat ++ - rename ++ - renameat ++ - rmdir + +From 121afe11a8c050b7c07c8a2595da898dc8f7a1b6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 15:34:44 +0200 +Subject: [PATCH 06/31] Set syscall grouping for create, open and truncate + rules + +--- + .../rule.yml | 7 +++++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 7 +++++++ + 6 files changed, 42 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index 08cc99133a4..5c751cb230e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -79,3 +79,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: creat ++ syscall_grouping: ++ - creat ++ - ftruncate ++ - truncate ++ - open ++ - openat ++ - open_by_handle_at +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index e9b688b9b4e..76bcea154bf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -82,3 +82,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: ftruncate ++ syscall_grouping: ++ - creat ++ - ftruncate ++ - truncate ++ - open ++ - openat ++ - open_by_handle_at +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 6e242270074..7c6764d2a01 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -82,3 +82,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: open ++ syscall_grouping: ++ - creat ++ - ftruncate ++ - truncate ++ - open ++ - openat ++ - open_by_handle_at +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index 2b6008fce1f..9bb5ffe3fcb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -78,3 +78,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: open_by_handle_at ++ syscall_grouping: ++ - creat ++ - ftruncate ++ - truncate ++ - open ++ - openat ++ - open_by_handle_at +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index 308e3da789a..c99656cc744 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -82,3 +82,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: openat ++ syscall_grouping: ++ - creat ++ - ftruncate ++ - truncate ++ - open ++ - openat ++ - open_by_handle_at +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index 6ab8d289176..12771beb7e0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -81,3 +81,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: truncate ++ syscall_grouping: ++ - creat ++ - ftruncate ++ - truncate ++ - open ++ - openat ++ - open_by_handle_at + +From 9dd2d39f3b5b6e0ac9f961718d8e3d7e1a02e101 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 4 Aug 2021 17:15:16 +0200 +Subject: [PATCH 07/31] Print filenames in sed command + +The ";F" was not a typo! +Hopefully this makes it more explicit the function of '-e "F"'. +--- + .../bash_remediation_functions/fix_audit_syscall_rule.sh | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 6bf5ac15436..791e64d05c1 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -1,4 +1,3 @@ +-# Function to fix syscall audit rule for given system call. It is + # based on example audit syscall rule definitions as outlined in + # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit + # package. It will combine multiple system calls belonging to the same +@@ -89,18 +88,14 @@ then + # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection + elif [ "$tool" == 'augenrules' ] + then +- matches=() + default_file="/etc/audit/rules.d/${key}.rules" + # As other_filters may include paths, lets use a different delimiter for it +- readarray -t matches < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" /etc/audit/rules.d/*.rules) ++ # The "F" script expression tells sed to print the filenames where the expressions matched ++ readarray -t files_to_inspect < <(sed -s -n -e "/${action_arch_filters}/!d" -e "\#${other_filters}#!d" -e "/${auid_filters}/!d" -e "F" /etc/audit/rules.d/*.rules) + if [ $? -ne 0 ] + then + retval=1 + fi +- for match in "${matches[@]}" +- do +- files_to_inspect+=("${match}") +- done + # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet + if [ ${#files_to_inspect[@]} -eq "0" ] + then + +From 56194cadf92fdfa020f650bf0152cf65270e4631 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 5 Aug 2021 00:35:47 +0200 +Subject: [PATCH 08/31] Handle cases where the rule has no syscall + +When syscall is not set, just don't add the -S parameter. +The audit privileged commands use the fix_audit_syscall_rule despite +not adding a -S syscall. +Same situation happens for directory_access_var_log_audit. +--- + .../bash/shared.sh | 13 +++-- + .../fix_audit_syscall_rule.sh | 51 ++++++++++++------- + .../bash.template | 2 +- + 3 files changed, 41 insertions(+), 25 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +index 53f2923d687..0c4e8ffdbd3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +@@ -3,9 +3,12 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*" +-GROUP="access-audit-trail" +-FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail" ++ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r" ++AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++SYSCALL="" ++KEY="access-audit-trail" ++SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +-fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +-fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 791e64d05c1..69430416da3 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -140,28 +140,37 @@ do + fi + done + +- # Check if the syscall we want is present in any of the similar existing rules +- for rule in "${candidate_rules[@]}" +- do +- rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) +- grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" +- if [ $? -eq 0 ] +- then +- # We found a rule with the syscall we want +- return $retval +- fi +- +- # Check if this rule can be grouped with our target syscall and keep track of it +- for syscall_g in "${syscall_grouping[@]}" ++ if [[ $syscall ]] ++ then ++ # Check if the syscall we want is present in any of the similar existing rules ++ for rule in "${candidate_rules[@]}" + do +- if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" ++ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) ++ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" ++ if [ $? -eq 0 ] + then +- local file_to_edit=${audit_file} +- local rule_to_edit=${rule} +- local rule_syscalls_to_edit=${rule_syscalls} ++ # We found a rule with the syscall we want ++ return $retval + fi ++ ++ # Check if this rule can be grouped with our target syscall and keep track of it ++ for syscall_g in "${syscall_grouping[@]}" ++ do ++ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" ++ then ++ local file_to_edit=${audit_file} ++ local rule_to_edit=${rule} ++ local rule_syscalls_to_edit=${rule_syscalls} ++ fi ++ done + done +- done ++ else ++ # If there is any candidate rule, it is compliant. ++ if [[ $candidate_rules ]] ++ then ++ return $retval ++ fi ++ fi + done + + +@@ -173,7 +182,11 @@ done + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty +- local full_rule="$action_arch_filters -S $syscall $([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" ++ if [[ $syscall ]] ++ then ++ local syscall_filters="-S $syscall" ++ fi ++ local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters ")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" + echo "$full_rule" >> "$default_file" + else + # Check if the syscalls are declared as a comma separated list or +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index bd9d4d12484..b5879085a45 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -9,7 +9,7 @@ + ACTION_ARCH_FILTERS="-a always,exit" + OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" +-SYSCALL="{{{ ATTR }}}" ++SYSCALL="" + KEY="privileged" + SYSCALL_GROUPING="{{{ SYSCALL_GROUPING }}}" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +From aa3b0ea2f194487c3f270e2f4d32768318c06ffa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 5 Aug 2021 15:30:46 +0200 +Subject: [PATCH 09/31] Enhance fix_audit_syscall_rule to handle multiple + syscalls + +Some rules deal with single handedly with multiple profiles. +These rules expect to use the fix_audit_syscall_rule to add a rule with +muliple syscalls at a time. +--- + .../bash/shared.sh | 14 +++--- + .../bash/shared.sh | 26 ++++++----- + .../fix_audit_syscall_rule.sh | 44 ++++++++++++++----- + 3 files changed, 58 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh +index 02020a84773..2b5e6649680 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh +@@ -9,11 +9,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>={{{ auid }}} -F auid!=unset -k *" +- # Use escaped BRE regex to specify rule group +- GROUP="\(rmdir\|unlink\|rename\)" +- FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>={{{ auid }}} -F auid!=unset -k delete" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++ SYSCALL="rmdir unlink unlinkat rename renameat" ++ KEY="delete" ++ SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +index cdde2eabe04..bf931e46430 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +@@ -11,20 +11,26 @@ for ARCH in "${RULE_ARCHS[@]}" + do + + # First fix the -EACCES requirement +- PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k *" +- # Use escaped BRE regex to specify rule group +- GROUP="\(creat\|open\|truncate\)" +- FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -k access" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-F exit=EACCES" ++ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++ SYSCALL="creat open openat open_by_handle_at truncate ftruncate" ++ KEY="access" ++ SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + + # Then fix the -EPERM requirement +- PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k *" + # No need to change content of $GROUP variable - it's the same as for -EACCES case above +- FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -k access" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-F exit=EPERM" ++ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" ++ SYSCALL="creat open openat open_by_handle_at truncate ftruncate" ++ KEY="access" ++ SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + + done +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 69430416da3..c8492149ad9 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -42,7 +42,8 @@ local tool="$1" + local action_arch_filters="$2" + local other_filters="$3" + local auid_filters="$4" +-local syscall="$5" ++local syscall_a ++read -a syscall_a <<< "$5" + local syscall_grouping + read -a syscall_grouping <<< "$6" + local key="$7" +@@ -140,16 +141,25 @@ do + fi + done + +- if [[ $syscall ]] ++ if [[ ${#syscall_a[@]} -ge 1 ]] + then + # Check if the syscall we want is present in any of the similar existing rules + for rule in "${candidate_rules[@]}" + do + rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) +- grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" +- if [ $? -eq 0 ] ++ local all_syscalls_found=0 ++ for syscall in "${syscall_a[@]}" ++ do ++ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" ++ if [ $? -eq 1 ] ++ then ++ # A syscall was not found in the candidate rule ++ all_syscalls_found=1 ++ fi ++ done ++ if [[ $all_syscalls_found -eq 0 ]] + then +- # We found a rule with the syscall we want ++ # We found a rule with all the syscall(s) we want + return $retval + fi + +@@ -182,21 +192,35 @@ done + if [ -z ${rule_to_edit+x} ] + then + # Build full_rule while avoid adding double spaces when other_filters is empty +- if [[ $syscall ]] ++ if [[ ${syscall_a} ]] + then +- local syscall_filters="-S $syscall" ++ local syscall_filters="" ++ for syscall in "${syscall_a[@]}" ++ do ++ syscall_filters+="-S $syscall " ++ done + fi +- local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters ")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" ++ local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" + echo "$full_rule" >> "$default_file" + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters + if grep -q -- "," <<< "${rule_syscalls_to_edit}" + then +- new_grouped_syscalls="${rule_syscalls_to_edit},${syscall}" ++ delimiter="," + else +- new_grouped_syscalls="${rule_syscalls_to_edit} -S ${syscall}" ++ delimiter=" -S " + fi ++ new_grouped_syscalls="${rule_syscalls_to_edit}" ++ for syscall in "${syscall_a[@]}" ++ do ++ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" ++ if [ $? -eq 1 ] ++ then ++ # A syscall was not found in the candidate rule ++ new_grouped_syscalls+="${delimiter}${syscall}" ++ fi ++ done + + # Group the syscall in the rule + sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" + +From 0b18f68fa86a16f659995736567ed3649bb58ef2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 5 Aug 2021 18:56:13 +0200 +Subject: [PATCH 10/31] Enhance fix_audit_syscall_rule to handle rules without + auid + +Enhance the bash function to nicely handle calls without auid filters +defined. +And updated the remediations of rules calling fix_audit_syscall_rule to +the new parameters. +--- + .../bash/shared.sh | 13 ++++++++----- + .../bash/shared.sh | 13 ++++++++----- + .../bash/shared.sh | 13 ++++++++----- + .../bash/shared.sh | 13 ++++++++----- + .../bash/shared.sh | 14 ++++++++------ + .../fix_audit_syscall_rule.sh | 8 +++++--- + 6 files changed, 45 insertions(+), 29 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh +index a89cb10e13d..cee43a0a104 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh +@@ -13,10 +13,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- GROUP="modules" +- PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module \(-F key=\|-k \).*" +- FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -k modules" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="" ++ SYSCALL="init_module finit_module delete_module" ++ KEY="modules" ++ SYSCALL_GROUPING="init_module finit_module delete_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh +index 7dabc28d807..7e0e101f754 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh +@@ -13,10 +13,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" +- GROUP="modules" +- FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="" ++ SYSCALL="delete_module" ++ KEY="modules" ++ SYSCALL_GROUPING="delete_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh +index 6e8df8c5095..1b2854d9c61 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh +@@ -13,10 +13,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" +- GROUP="modules" +- FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="" ++ SYSCALL="finit_module" ++ KEY="modules" ++ SYSCALL_GROUPING="init_module finit_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh +index 437127f4553..3bb7f89d37c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh +@@ -13,10 +13,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" +- GROUP="modules" +- FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="" ++ SYSCALL="init_module" ++ KEY="modules" ++ SYSCALL_GROUPING="init_module finit_module" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh +index 4e4869a83a7..3c5e593dc5e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh +@@ -9,13 +9,15 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" +- # Use escaped BRE regex to specify rule group +- GROUP="set\(host\|domain\)name" +- FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="" ++ AUID_FILTERS="" ++ SYSCALL="sethostname setdomainname" ++ KEY="audit_rules_networkconfig_modification" ++ SYSCALL_GROUPING="sethostname setdomainname" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done + + # Then perform the remediations for the watch rules +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index c8492149ad9..5cc130a0236 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -194,13 +194,15 @@ then + # Build full_rule while avoid adding double spaces when other_filters is empty + if [[ ${syscall_a} ]] + then +- local syscall_filters="" ++ local syscall_string="" + for syscall in "${syscall_a[@]}" + do +- syscall_filters+="-S $syscall " ++ syscall_string+=" -S $syscall" + done + fi +- local full_rule="$action_arch_filters $([[ $syscall_filters ]] && echo "$syscall_filters")$([[ $other_filters ]] && echo "$other_filters ")$auid_filters -F key=$key" ++ local other_string=$([[ $other_filters ]] && echo " $other_filters") ++ local auid_string=$([[ $auid_filters ]] && echo " $auid_filters") ++ local full_rule="${action_arch_filters}${syscall_string}${other_string}${auid_string} -F key=${key}" + echo "$full_rule" >> "$default_file" + else + # Check if the syscalls are declared as a comma separated list or + +From 8c4984428445376dd1ddb03947deda2d73321972 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 5 Aug 2021 18:59:47 +0200 +Subject: [PATCH 11/31] Move suid_privileged_function to new + fix_audit_sycall_rule + +The OVAL check was also updated to accept the key as a Field parameter. +--- + .../bash/shared.sh | 26 ++++++++++++------- + .../oval/shared.xml | 16 ++++++------ + 2 files changed, 24 insertions(+), 18 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh +index 561c8f74a8f..3976979360c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh +@@ -9,20 +9,26 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S execve -C uid!=euid -F euid=0" +- GROUP="privileged" +- FULL_RULE="-a always,exit -F arch=$ARCH -S execve -C uid!=euid -F euid=0 -k setuid" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-C uid!=euid -F euid=0" ++ AUID_FILTERS="" ++ SYSCALL="execve" ++ KEY="setuid" ++ SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S execve -C gid!=egid -F egid=0" +- GROUP="privileged" +- FULL_RULE="-a always,exit -F arch=$ARCH -S execve -C gid!=egid -F egid=0 -k setgid" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-C gid!=egid -F egid=0" ++ AUID_FILTERS="" ++ SYSCALL="execve" ++ KEY="setgid" ++ SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml +index 9247d81b89c..5115eb6c8c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml +@@ -30,7 +30,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ + 1 + + +@@ -39,7 +39,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ + 1 + + +@@ -48,7 +48,7 @@ + + + /etc/audit/audit.rules +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ + 1 + + +@@ -57,7 +57,7 @@ + + + /etc/audit/audit.rules +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+-k[\s]setuid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]uid!=euid[\s]+-F[\s]euid=0[\s]+(-k[\s]+|-F[\s]+key=)setuid[\s]*$ + 1 + + +@@ -66,7 +66,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ + 1 + + +@@ -75,7 +75,7 @@ + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ + 1 + + +@@ -84,7 +84,7 @@ + + + /etc/audit/audit.rules +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ + 1 + + +@@ -93,7 +93,7 @@ + + + /etc/audit/audit.rules +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+-k[\s]setgid[\s]*$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]gid!=egid[\s]+-F[\s]egid=0[\s]+(-k[\s]+|-F[\s]+key=)setgid[\s]*$ + 1 + + + +From ed948b76b8ce20179a00622b9e04a4d4cd32850f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Aug 2021 09:45:42 +0200 +Subject: [PATCH 12/31] Update remediarions for time syscalls rules + +Update rules audit_rules_time_clock_settime and bash shared +remediation perform_audit_adjtimex_settimeofday_stime_remediation +to group their syscalls. +--- + .../bash/shared.sh | 13 ++++++++----- + ..._adjtimex_settimeofday_stime_remediation.sh | 18 +++++++++++------- + 2 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh +index ffddb94df69..0d51b6b9400 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/bash/shared.sh +@@ -9,10 +9,13 @@ + + for ARCH in "${RULE_ARCHS[@]}" + do +- PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" +- GROUP="clock_settime" +- FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ OTHER_FILTERS="-F a0=0x0" ++ AUID_FILTERS="" ++ SYSCALL="clock_settime" ++ KEY="time-change" ++ SYSCALL_GROUPING="" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done +diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh +index be1425b454c..ca3ccc37513 100644 +--- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh ++++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh +@@ -19,24 +19,28 @@ function perform_audit_adjtimex_settimeofday_stime_remediation { + for ARCH in "${RULE_ARCHS[@]}" + do + +- PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited +- GROUP="\(adjtimex\|settimeofday\|stime\)" +- FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" ++ SYSCALL="adjtimex settimeofday stime" ++ SYSCALL_GROUPING="adjtimex settimeofday stime" + elif [ ${ARCH} = "b64" ] + then ++ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited +- GROUP="\(adjtimex\|settimeofday\)" +- FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" ++ SYSCALL="adjtimex settimeofday" ++ SYSCALL_GROUPING="adjtimex settimeofday" + fi ++ OTHER_FILTERS="" ++ AUID_FILTERS="" ++ KEY="audit_time_rules" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' +- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" ++ fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY" + done + + } + +From 8af4ced71baa5794bfa9be2cfcf9a9519066e597 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 11:50:46 +0200 +Subject: [PATCH 13/31] Improve audit syscall rule macro to group syscalls + +The macros now group the syscall rule according to the grouping argument +The Ansible macros follow same argument pattern as the Bash remediations +(soon to become macros). +--- + .../ansible/shared.yml | 36 ++- + .../ansible/shared.yml | 36 ++- + .../ansible/shared.yml | 36 ++- + .../ansible/shared.yml | 36 ++- + .../ansible/shared.yml | 36 ++- + .../audit_rules_time_stime/ansible/shared.yml | 18 +- + shared/macros-ansible.jinja | 220 +++++++++--------- + 7 files changed, 292 insertions(+), 126 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index 8421076fbb3..905c14feb82 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -15,11 +15,39 @@ + + - name: Perform remediation of Audit rules for kernel module loading for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=audit_syscalls, ++ key="modules", ++ syscall_grouping=audit_syscalls, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=audit_syscalls, ++ key="modules", ++ syscall_grouping=audit_syscalls, ++ )|indent(4) }}} + + - name: Perform remediation of Audit rules for kernel module loading for x86_64 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=audit_syscalls, ++ key="modules", ++ syscall_grouping=audit_syscalls, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=audit_syscalls, ++ key="modules", ++ syscall_grouping=audit_syscalls, ++ )|indent(4) }}} + when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +index fa07d5bf944..b5262d795c6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +@@ -13,13 +13,41 @@ + + - name: Remediate audit rules for network configuration for x86 + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["sethostname", "setdomainname"], ++ key="audit_rules_networkconfig_modification", ++ syscall_grouping=["sethostname", "setdomainname"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["sethostname", "setdomainname"], ++ key="audit_rules_networkconfig_modification", ++ syscall_grouping=["sethostname", "setdomainname"], ++ )|indent(4) }}} + + - name: Remediate audit rules for network configuration for x86_64 + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["sethostname", "setdomainname"], ++ key="audit_rules_networkconfig_modification", ++ syscall_grouping=["sethostname", "setdomainname"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["sethostname", "setdomainname"], ++ key="audit_rules_networkconfig_modification", ++ syscall_grouping=["sethostname", "setdomainname"], ++ )|indent(4) }}} + when: audit_arch == "b64" + + # remediate watches +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +index 921b8e34cb2..a5d7cc5e0aa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +@@ -10,11 +10,39 @@ + + - name: Perform remediation of Audit rules for adjtimex for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["adjtimex"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["adjtimex"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} + + - name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["adjtimex"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["adjtimex"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} + when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml +index e77850fa251..c07ee41fe03 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml +@@ -12,11 +12,39 @@ + + - name: Perform remediation of Audit rules for clock_settime for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="-F a0=0x0", ++ auid_filters="", ++ syscalls=["clock_settime"], ++ key="time-change", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="-F a0=0x0", ++ auid_filters="", ++ syscalls=["clock_settime"], ++ key="time-change", ++ syscall_grouping=[], ++ )|indent(4) }}} + + - name: Perform remediation of Audit rules for clock_settime for x86_64 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="-F a0=0x0", ++ auid_filters="", ++ syscalls=["clock_settime"], ++ key="time-change", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="-F a0=0x0", ++ auid_filters="", ++ syscalls=["clock_settime"], ++ key="time-change", ++ syscall_grouping=[], ++ )|indent(4) }}} + when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +index b1a25c2776d..e4be5e2406f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +@@ -10,11 +10,39 @@ + + - name: Perform remediation of Audit rules for settimeofday for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["settimeofday"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["settimeofday"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} + + - name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["settimeofday"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["settimeofday"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} + when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +index b57c71ce21f..96fc5c15655 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +@@ -6,5 +6,19 @@ + + - name: Perform remediation of Audit rules for stime syscall for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["stime"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["stime"], ++ key="audit_time_rules", ++ syscall_grouping=["adjtimex", "settimeofday", "stime"], ++ )|indent(4) }}} +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 116077b9a52..5e120deee58 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -385,135 +385,147 @@ The macro requires following parameters: + {{# + The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. + The macro requires following parameters: +-- arch: an architecture to be used in the Audit rule (b32, b64) +-- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. +-- key: a key to use as rule identifier. +-- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); +- Add them in the order you expect them to be in the audit rule. +-Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. ++- action_arch_filters: The action and arch filters of the rule ++ For example, "-a always,exit -F arch=b64" ++- other_filters: Other filters that may characterize the rule: ++ For example, "-F a2&03 -F path=/etc/passwd" ++- auid_filters: The auid filters of the rule ++ For example, "-F auid>=1000 -F auid!=unset" ++- syscalls: List of syscalls to ensure presense among audit rules ++ For example, "['fchown', 'lchown', 'fchownat']" ++- syscall_groupings: List of other syscalls that can be grouped with 'syscalls' ++ For example, "['fchown', 'lchown', 'fchownat']" ++- key: The key to use when appending a new rule + #}} +-{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} +-- name: Declare list of syscals ++{{% macro ansible_audit_augenrules_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}} ++{{% if other_filters != "" %}} ++ {{% set other_filters = " " ~ other_filters %}} ++{{% endif %}} ++{{% if auid_filters != "" %}} ++ {{% set auid_filters = " " ~ auid_filters %}} ++{{% endif %}} ++- name: Declare list of syscalls + set_fact: + syscalls: {{{ syscalls }}} ++ syscall_grouping: {{{ syscall_grouping }}} + +-- name: Declare number of syscalls +- set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" ++- name: Check existence of syscalls for in /etc/audit/rules.d/ ++ find: ++ paths: /etc/audit/rules.d ++ contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' ++ patterns: '*.rules' ++ register: find_command ++ loop: '{{ syscall_grouping }}' + +-{{# +-This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. +-See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments +-#}} +-{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} +-{{% for field in fields %}} +- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} +- {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} +-{{% endfor %}} ++- name: Declare syscalls found per file ++ set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}" ++ loop: "{{ find_command.results | selectattr('matched') | list}}" + +-- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ +- find: +- paths: "/etc/audit/rules.d" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "*.rules" +- register: audit_syscalls_found_{{{ arch }}}_rules_d +- loop: "{{ syscalls }}" ++- name: Declare files where syscalls where found ++ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + +-- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ +- set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{ audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" ++- name: Count occurrences of syscalls in paths ++ set_fact: found_paths_dict="{{ found_paths_dict | default({}) | combine({ item:1+(found_paths_dict | default({})).get(item, 0) }) }}" ++ loop: "{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + +-- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} +- find: +- paths: "/etc/audit/rules.d" +- contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' +- patterns: "*.rules" +- register: find_syscalls_files ++- name: Get path with most syscalls ++ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" ++ when: found_paths | length >= 1 + +-- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/{{{ key }}}.rules +- when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 ++- name: No file with syscall found, set path to /etc/audit/rules.d/{{{ key }}}.rules ++ set_fact: audit_file="/etc/audit/rules.d/{{{ key }}}.rules" ++ when: found_paths | length == 0 + +-- name: Use matched file as the recipient for the rule ++- name: Declare found syscalls ++ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" ++ ++- name: Declare missing syscalls + set_fact: +- all_files: +- - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" +- when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 ++ missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + +-- name: "Insert the syscall rule in {{ all_files[0] }}" +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" +- loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add fields and key" +- set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" +- - name: "Insert the line in {{ all_files[0] }}" +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls ++- name: Replace the audit rule in {{ audit_file }} ++ lineinfile: ++ path: '{{ audit_file }}' ++ regexp: '({{{ action_arch_filters }}})(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)({{{ other_filters }}}{{{ auid_filters }}} (?:-k |-F key=)\w+)' ++ line: '\1\2\3{{ missing_syscalls | join("\3") }}\4' ++ backrefs: yes ++ state: present ++ when: syscalls_found | length > 0 and missing_syscalls | length > 0 ++ ++- name: Add the audit rule to {{ audit_file }} ++ lineinfile: ++ path: '{{ audit_file }}' ++ line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" ++ create: true ++ state: present ++ when: syscalls_found | length == 0 + {{%- endmacro %}} + + {{# + The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. + The macro requires following parameters: +-- arch: an architecture to be used in the Audit rule (b32, b64) +-- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. +-- key: a key to use as rule identifier. +-- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); +- Add them in the order you expect them to be in the audit rule. ++- action_arch_filters: The action and arch filters of the rule ++ For example, "-a always,exit -F arch=b64" ++- other_filters: Other filters that may characterize the rule: ++ For example, "-F a2&03 -F path=/etc/passwd" ++- auid_filters: The auid filters of the rule ++ For example, "-F auid>=1000 -F auid!=unset" ++- syscalls: List of syscalls to ensure presense among audit rules ++ For example, "['fchown', 'lchown', 'fchownat']" ++- syscall_groupings: List of other syscalls that can be grouped with 'syscalls' ++ For example, "['fchown', 'lchown', 'fchownat']" ++- key: The key to use when appending a new rule + #}} +-{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} +-- name: Declare list of syscals ++{{% macro ansible_audit_auditctl_add_syscall_rule(action_arch_filters="", other_filters="", auid_filters="", syscalls=[], key="", syscall_grouping=[]) -%}} ++{{% if other_filters!= "" %}} ++ {{% set other_filters = " " ~ other_filters %}} ++{{% endif %}} ++{{% if auid_filters!= "" %}} ++ {{% set auid_filters = " " ~ auid_filters %}} ++{{% endif %}} ++- name: Declare list of syscalls + set_fact: + syscalls: {{{ syscalls }}} ++ syscall_grouping: {{{ syscall_grouping }}} ++ ++- name: Check existence of syscalls for in /etc/audit/rules.d/ ++ find: ++ paths: /etc/audit ++ contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' ++ patterns: 'audit.rules' ++ register: find_command ++ loop: '{{ syscall_grouping }}' + +-- name: Declare number of syscalls +- set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" ++- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules ++ set_fact: audit_file="/etc/audit/audit.rules" + +-{{# +-This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. +-See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments +-#}} +-{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} +-{{% for field in fields %}} +- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} +- {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} +-{{% endfor %}} ++- name: Declare found syscalls ++ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + +-- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules +- find: +- paths: "/etc/audit" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "audit.rules" +- register: audit_syscalls_found_{{{ arch }}}_audit_rules +- loop: "{{ syscalls }}" ++- name: Declare missing syscalls ++ set_fact: ++ missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + +-- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules +- set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}" ++- name: Replace the audit rule in {{ audit_file }} ++ lineinfile: ++ path: '{{ audit_file }}' ++ regexp: '({{{ action_arch_filters }}})(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)({{{ other_filters }}}{{{ auid_filters }}} (?:-k |-F key=)\w+)' ++ line: '\1\2\3{{ missing_syscalls | join("\3") }}\4' ++ backrefs: yes ++ state: present ++ when: syscalls_found | length > 0 and missing_syscalls | length > 0 ++ ++- name: Add the audit rule to {{ audit_file }} ++ lineinfile: ++ path: '{{ audit_file }}' ++ line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" ++ create: true ++ state: present ++ when: syscalls_found | length == 0 ++- name: Declare list of syscals ++ set_fact: ++ syscalls: {{{ syscalls }}} + +-- name: Insert the syscall rule in /etc/audit/audit.rules +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" +- loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add fields and key" +- set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" +- - name: Insert the line in /etc/audit/audit.rules +- lineinfile: +- path: "/etc/audit/audit.rules" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls + {{%- endmacro %}} + + {{% macro ansible_sssd_ldap_config(parameter, value) -%}} + +From a355d5b5578477a4464023dccccdb474ff571768 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 14:35:17 +0200 +Subject: [PATCH 14/31] Move template audit_rules_path_syscall to Ansible macro + +--- + .../audit_rules_path_syscall/ansible.template | 100 +++++++----------- + .../audit_rules_path_syscall/template.py | 7 ++ + 2 files changed, 44 insertions(+), 63 deletions(-) + +diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template +index d519609fa02..20440a36237 100644 +--- a/shared/templates/audit_rules_path_syscall/ansible.template ++++ b/shared/templates/audit_rules_path_syscall/ansible.template +@@ -11,67 +11,41 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# +-# Inserts/replaces the rule in /etc/audit/rules.d +-# +-- name: Search /etc/audit/rules.d for other DAC audit rules +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*" +- patterns: "*.rules" +- register: find_{{{ SYSCALL }}} +- +-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/modify.rules +- when: find_{{{ SYSCALL }}}.matched is defined and find_{{{ SYSCALL }}}.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ SYSCALL }}}.matched is defined and find_{{{ SYSCALL }}}.matched > 0 +- +-- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ item }}" +- create: yes +- regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" +- with_items: +- - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" +- +-- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ item }}" +- create: yes +- regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" +- with_items: +- - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" +- when: audit_arch is defined and audit_arch == 'b64' +-# +-# Inserts/replaces the rule in /etc/audit/audit.rules +-# +-- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86 +- lineinfile: +- line: "{{ item }}" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" +- with_items: +- - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" ++- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="-F "~POS~"&03 -F path="~PATH, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=SYSCALL, ++ key="modify", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="-F "~POS~"&03 -F path="~PATH, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=SYSCALL, ++ key="modify", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + +-- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64 +- lineinfile: +- line: "{{ item }}" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+" +- with_items: +- - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify" +- when: audit_arch is defined and audit_arch == 'b64' ++- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="-F "~POS~"&03 -F path="~PATH, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=SYSCALL, ++ key="modify", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="-F "~POS~"&03 -F path="~PATH, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=SYSCALL, ++ key="modify", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ when: audit_arch == "b64" +diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py +index 7e0877a02b9..c13f34b94e0 100644 +--- a/shared/templates/audit_rules_path_syscall/template.py ++++ b/shared/templates/audit_rules_path_syscall/template.py +@@ -11,4 +11,11 @@ def preprocess(data, lang): + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ elif lang == "ansible": ++ if "syscall" in data: ++ # Tranform the syscall into a Ansible list ++ data["syscall"] = [ data["syscall"] ] ++ if "syscall_grouping" not in data: ++ # Ensure that syscall_grouping is a list ++ data["syscall_grouping"] = [] + return data + +From 27d64329d2d9d3cdac03f0a46866f99c299b430d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 16:37:12 +0200 +Subject: [PATCH 15/31] Move template audit_rules_dac_modification to Ansible + macro + +Use Ansible macro ansible_audit_augenrules_add_syscall_rule and +ansible_audit_auditctl_add_syscall_rule that group the syscalls +according to defined grouping. +--- + .../ansible.template | 152 ++++++++---------- + .../audit_rules_dac_modification/template.py | 7 + + 2 files changed, 76 insertions(+), 83 deletions(-) + +diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template +index d048978456d..d2ce6c50052 100644 +--- a/shared/templates/audit_rules_dac_modification/ansible.template ++++ b/shared/templates/audit_rules_dac_modification/ansible.template +@@ -11,91 +11,77 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# +-# Inserts/replaces the rule in /etc/audit/rules.d +-# +-- name: Search /etc/audit/rules.d for other DAC audit rules +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: "-F key=perm_mod$" +- patterns: "*.rules" +- register: find_{{{ ATTR }}} +- +-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/privileged.rules +- when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_{{{ ATTR }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ ATTR }}}.matched is defined and find_{{{ ATTR }}}.matched > 0 +- +-- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" +- create: yes +- ++- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + {{%- if CHECK_ROOT_USER %}} +-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" +- create: yes ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="-F auid=0", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="-F auid=0", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + {{%- endif %}} + +-- name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86_64 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" +- create: yes +- when: audit_arch is defined and audit_arch == 'b64' +- +-{{%- if CHECK_ROOT_USER %}} +-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in rules.d when on x86_64 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" +- create: yes +- when: audit_arch is defined and audit_arch == 'b64' +-{{%- endif %}} +-# +-# Inserts/replaces the rule in /etc/audit/audit.rules +-# +-- name: Inserts/replaces the {{{ ATTR }}} rule in /etc/audit/audit.rules when on x86 +- lineinfile: +- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- +-{{%- if CHECK_ROOT_USER %}} +-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in /etc/audit/audit.rules when on x86 +- lineinfile: +- line: "-a always,exit -F arch=b32 -S {{{ ATTR }}} -F auid=0 -F key=perm_mod" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +-{{%- endif %}} +- +-- name: Inserts/replaces the {{{ ATTR }}} rule in audit.rules when on x86_64 +- lineinfile: +- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- when: audit_arch is defined and audit_arch == 'b64' +- ++- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + {{%- if CHECK_ROOT_USER %}} +-- name: Inserts/replaces the {{{ ATTR }}} rule with auid=0 in audit.rules when on x86_64 +- lineinfile: +- line: "-a always,exit -F arch=b64 -S {{{ ATTR }}} -F auid=0 -F auid!=unset -F key=perm_mod" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- when: audit_arch is defined and audit_arch == 'b64' ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="-F auid=0", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="-F auid=0", ++ syscalls=ATTR, ++ key="perm_mod", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + {{%- endif %}} ++ when: audit_arch == "b64" +diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py +index 7dc53e81f7d..eebd0b6f4ee 100644 +--- a/shared/templates/audit_rules_dac_modification/template.py ++++ b/shared/templates/audit_rules_dac_modification/template.py +@@ -7,5 +7,12 @@ def preprocess(data, lang): + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ elif lang == "ansible": ++ if "attr" in data: ++ # Tranform the syscall into a Ansible list ++ data["attr"] = [ data["attr"] ] ++ if "syscall_grouping" not in data: ++ # Ensure that syscall_grouping is a list ++ data["syscall_grouping"] = [] + + return data + +From cd507f507d3fb756c49e4ca19d47f17d951e1a9f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 16:59:48 +0200 +Subject: [PATCH 16/31] Move template + audit_rules_unsuccessfull_file_modification to Ansible macro + +Use Ansible macro ansible_audit_augenrules_add_syscall_rule and +ansible_audit_auditctl_add_syscall_rule that group the syscalls +according to defined grouping. +--- + .../ansible.template | 102 +++++++----------- + .../template.py | 8 ++ + 2 files changed, 47 insertions(+), 63 deletions(-) + +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +index 8e8e003a5b0..cb5decc6a6e 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +@@ -11,67 +11,43 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# +-# Inserts/replaces the rule in /etc/audit/rules.d +-# +-- name: Search /etc/audit/rules.d for other DAC audit rules +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: "-F key=perm_mod$" +- patterns: "*.rules" +- register: find_{{{ NAME }}} +- +-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/access.rules +- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 +- +-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ item }}" +- create: yes +- with_items: +- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- +-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86_64 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ item }}" +- create: yes +- with_items: +- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- when: audit_arch is defined and audit_arch == 'b64' +-# +-# Inserts/replaces the rule in /etc/audit/audit.rules +-# +-- name: Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules when on x86 +- lineinfile: +- line: "{{ item }}" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- with_items: +- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- - "-a always,exit -F arch=b32 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" ++{{% for EXIT_CODE in ["EACCES","EPERM"] %}} ++- name: Perform remediation of Audit rules for {{{ NAME }}} {{{ EXIT_CODE}}} for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="-F exit=-"~EXIT_CODE, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="access", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="-F exit=-"~EXIT_CODE, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="access", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + +-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules when on x86_64 +- lineinfile: +- line: "{{ item }}" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- with_items: +- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- - "-a always,exit -F arch=b64 -S {{{ NAME }}} -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=access" +- when: audit_arch is defined and audit_arch == 'b64' ++- name: Perform remediattion of Audit rules for {{{ NAME }}} {{{ EXIT_CODE }}} for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="-F exit=-"~EXIT_CODE, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="access", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="-F exit=-"~EXIT_CODE, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="access", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ when: audit_arch == "b64" ++{{% endfor %}} +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py +index a4e58609f66..62abfad9a2c 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/template.py ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py +@@ -6,6 +6,14 @@ def _audit_rules_unsuccessful_file_modification(data, lang): + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ elif lang == "ansible": ++ if "name" in data: ++ # Tranform the syscall into a Ansible list ++ # The syscall is under 'name' ++ data["name"] = [ data["name"] ] ++ if "syscall_grouping" not in data: ++ # Ensure that syscall_grouping is a list ++ data["syscall_grouping"] = [] + return data + + + +From 52dcdb4be6c1b450bfb074684b4657a40963e752 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 17:34:26 +0200 +Subject: [PATCH 17/31] Add syscall_groups to unsuccessful_file_mofication + rules + +The groupings were based on the rule description. +--- + .../rule.yml | 7 +++++++ + .../rule.yml | 5 +++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 5 +++++ + .../rule.yml | 5 +++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 5 +++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 5 +++++ + .../rule.yml | 5 +++++ + .../rule.yml | 6 ++++++ + .../rule.yml | 7 +++++++ + .../rule.yml | 5 +++++ + .../rule.yml | 5 +++++ + 15 files changed, 88 insertions(+) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +index 7cf5855bcae..ddfe1e9d6c3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chmod/rule.yml +@@ -51,3 +51,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: chmod ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +index 090463bd402..6ca6e27b24d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_chown/rule.yml +@@ -51,3 +51,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: chown ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +index fc2b945ef9b..1a93b4537e0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmod/rule.yml +@@ -51,3 +51,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: fchmod ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +index e4da28ec070..dd77cd60639 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchmodat/rule.yml +@@ -51,3 +51,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: fchmodat ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +index 69a9ddf72b1..3e5da890340 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchown/rule.yml +@@ -51,3 +51,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: fchown ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +index 7da6b8a4d73..76f0e177b67 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fchownat/rule.yml +@@ -51,3 +51,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: fchownat ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +index eaa9f32081f..bf1ff86737c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr/rule.yml +@@ -51,3 +51,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: fsetxattr ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +index 84c71963545..3d42cea2ac1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lchown/rule.yml +@@ -55,3 +55,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: lchown ++ syscall_grouping: ++ - chown ++ - fchown ++ - fchownat ++ - lchown +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +index 1de114c65d5..e388ec2d69e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr/rule.yml +@@ -51,3 +51,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: lsetxattr ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +index 0aac53c1d2f..ae390fc9904 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +@@ -64,3 +64,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: rename ++ syscall_grouping: ++ - rename ++ - renameat ++ - unlink ++ - unlinkat +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +index 81bb79b5589..ab5d3b8d7b3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +@@ -64,3 +64,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: renameat ++ syscall_grouping: ++ - rename ++ - renameat ++ - unlink ++ - unlinkat +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml +index 57dc243760d..f0c7e1a9ca9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml +@@ -49,3 +49,9 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: renameat2 ++ syscall_grouping: ++ - rename ++ - renameat ++ - renameat2 ++ - unlink ++ - unlinkat +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +index a406dba0e8d..a45d0cdac86 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_setxattr/rule.yml +@@ -51,3 +51,10 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: setxattr ++ syscall_grouping: ++ - chmod ++ - fchmod ++ - fchmodat ++ - fsetxattr ++ - lsetxattr ++ - setxattr +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +index 55f4582ba74..c78957bab21 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +@@ -66,3 +66,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: unlink ++ syscall_grouping: ++ - rename ++ - renameat ++ - unlink ++ - unlinkat +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +index 0a672366fe8..8fa62518cb5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +@@ -66,3 +66,8 @@ template: + name: audit_rules_unsuccessful_file_modification + vars: + name: unlinkat ++ syscall_grouping: ++ - rename ++ - renameat ++ - unlink ++ - unlinkat + +From bc7152399c205b25c9a471deffc0497d26896cd7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 17:45:45 +0200 +Subject: [PATCH 18/31] Move template audit_rules_privileged_commands to + Ansible macro + +Update the macros to handle better empty syscalls parameter. + +Use Ansible macro ansible_audit_augenrules_add_syscall_rule and +ansible_audit_auditctl_add_syscall_rule that group the syscalls +according to defined grouping. +--- + shared/macros-ansible.jinja | 14 ++++- + .../ansible.template | 56 +++++++------------ + .../template.py | 4 ++ + 3 files changed, 35 insertions(+), 39 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 5e120deee58..a067742b1f4 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -404,6 +404,11 @@ The macro requires following parameters: + {{% if auid_filters != "" %}} + {{% set auid_filters = " " ~ auid_filters %}} + {{% endif %}} ++{{% if syscalls == [] %}} ++ {{% set syscall_flag = "" %}} ++{{% else %}} ++ {{% set syscall_flag = " -S " %}} ++{{% endif %}} + - name: Declare list of syscalls + set_fact: + syscalls: {{{ syscalls }}} +@@ -455,7 +460,7 @@ The macro requires following parameters: + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' +- line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" ++ line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + create: true + state: present + when: syscalls_found | length == 0 +@@ -483,6 +488,11 @@ The macro requires following parameters: + {{% if auid_filters!= "" %}} + {{% set auid_filters = " " ~ auid_filters %}} + {{% endif %}} ++{{% if syscalls == [] %}} ++ {{% set syscall_flag = "" %}} ++{{% else %}} ++ {{% set syscall_flag = " -S " %}} ++{{% endif %}} + - name: Declare list of syscalls + set_fact: + syscalls: {{{ syscalls }}} +@@ -518,7 +528,7 @@ The macro requires following parameters: + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' +- line: "{{{ action_arch_filters }}} -S {{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" ++ line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + create: true + state: present + when: syscalls_found | length == 0 +diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template +index 06154e10ceb..b1788b59b8a 100644 +--- a/shared/templates/audit_rules_privileged_commands/ansible.template ++++ b/shared/templates/audit_rules_privileged_commands/ansible.template +@@ -1,5 +1,5 @@ + {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} +- {{%- set perm_x="-F perm=x " %}} ++ {{%- set perm_x=" -F perm=x" %}} + {{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = false +@@ -7,39 +7,21 @@ + # complexity = low + # disruption = low + +-# Inserts/replaces the rule in /etc/audit/rules.d +- +-- name: Search /etc/audit/rules.d for audit rule entries +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: "^.*path={{{ PATH }}}.*$" +- patterns: "*.rules" +- register: find_{{{ NAME }}} +- +-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/privileged.rules +- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 +- +- +-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d +- lineinfile: +- path: "{{ all_files[0] }}" +- line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' +- create: yes +- +-# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules +- +-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F path={{{ PATH }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged' +- create: yes ++- name: Perform remediattion of Audit rules for {{{ PATH }}} ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit", ++ other_filters="-F path="~PATH~perm_x, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=SYSCALL, ++ key="privileged", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit", ++ other_filters="-F path="~PATH~perm_x, ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=SYSCALL, ++ key="privileged", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} +diff --git a/shared/templates/audit_rules_privileged_commands/template.py b/shared/templates/audit_rules_privileged_commands/template.py +index 43302a6690a..0cf6cba79cc 100644 +--- a/shared/templates/audit_rules_privileged_commands/template.py ++++ b/shared/templates/audit_rules_privileged_commands/template.py +@@ -19,4 +19,8 @@ def preprocess(data, lang): + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ elif lang == "ansible": ++ # This template does not use the 'syscall' parameters ++ data["syscall"] = [] ++ data["syscall_grouping"] = [] + return data + +From 93e082296abbaa4f62e1352e4240c72ade510740 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 18:15:50 +0200 +Subject: [PATCH 19/31] Move template audit_rules_file_deletion_events to + Ansible macro + +Use Ansible macro ansible_audit_augenrules_add_syscall_rule and +ansible_audit_auditctl_add_syscall_rule that group the syscalls +according to defined grouping. +--- + .../ansible.template | 88 ++++++++----------- + .../template.py | 8 ++ + 2 files changed, 45 insertions(+), 51 deletions(-) + +diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template +index 12d6088ecea..ec732133838 100644 +--- a/shared/templates/audit_rules_file_deletion_events/ansible.template ++++ b/shared/templates/audit_rules_file_deletion_events/ansible.template +@@ -11,55 +11,41 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# +-# Inserts/replaces the rule in /etc/audit/rules.d +-# +-- name: Search /etc/audit/rules.d for other DAC audit rules +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: "-F key=delete$" +- patterns: "*.rules" +- register: find_{{{ NAME }}} +- +-- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/delete.rules +- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched is defined and find_{{{ NAME }}}.matched > 0 +- +-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-a always,exit -F arch=b32 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" +- create: yes +- +-- name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86_64 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-a always,exit -F arch=b64 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" +- create: yes +- when: audit_arch is defined and audit_arch == 'b64' +-# +-# Inserts/replaces the rule in /etc/audit/audit.rules +-# +-- name: Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules when on x86 +- lineinfile: +- line: "-a always,exit -F arch=b32 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" +- state: present +- dest: /etc/audit/audit.rules +- create: yes ++- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="delete", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="delete", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} + +-- name: Inserts/replaces the {{{ NAME }}} rule in audit.rules when on x86_64 +- lineinfile: +- line: "-a always,exit -F arch=b64 -S {{{ NAME }}} -F auid>={{{ auid }}} -F auid!=unset -F key=delete" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- when: audit_arch is defined and audit_arch == 'b64' ++- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="delete", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=NAME, ++ key="delete", ++ syscall_grouping=SYSCALL_GROUPING, ++ )|indent(4) }}} ++ when: audit_arch == "b64" +diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py +index 7be137c1eb9..1141a99826b 100644 +--- a/shared/templates/audit_rules_file_deletion_events/template.py ++++ b/shared/templates/audit_rules_file_deletion_events/template.py +@@ -6,6 +6,14 @@ def _audit_rules_file_deletion_events(data, lang): + if "syscall_grouping" in data: + # Make it easier to tranform the syscall_grouping into a Bash array + data["syscall_grouping"] = " ".join(data["syscall_grouping"]) ++ elif lang == "ansible": ++ if "name" in data: ++ # Tranform the syscall into a Ansible list ++ # The syscall is under 'name' ++ data["name"] = [ data["name"] ] ++ if "syscall_grouping" not in data: ++ # Ensure that syscall_grouping is a list ++ data["syscall_grouping"] = [] + return data + + + +From 5db4692a9efd86713e79c6fb72f87bf4898338e9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 19:16:54 +0200 +Subject: [PATCH 20/31] Update Ansible audit_rules_kernel_module_loading_* to + use macros + +Update remediation of following rules to use Ansible macro syscall rule +- audit_rules_kernel_module_loading_delete +- audit_rules_kernel_module_loading_finit +- audit_rules_kernel_module_loading_init +--- + .../ansible/shared.yml | 89 ++++++++----------- + .../ansible/shared.yml | 89 ++++++++----------- + .../ansible/shared.yml | 88 ++++++++---------- + 3 files changed, 114 insertions(+), 152 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +index 60f477ac355..863ba6f0134 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +@@ -10,54 +10,41 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# Inserts/replaces the rule in /etc/audit/rules.d +- +-- name: Search /etc/audit/rules.d for audit rule entries +- find: +- paths: /etc/audit/rules.d +- recurse: false +- contains: ^.*delete_module.*$ +- patterns: '*.rules' +- register: find_delete_module +- +-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/privileged.rules +- when: find_delete_module.matched is defined and find_delete_module.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' +- when: find_delete_module.matched is defined and find_delete_module.matched > 0 +- +-- name: Inserts/replaces the delete_module rule in rules.d +- lineinfile: +- path: '{{ all_files[0] }}' +- line: '-a always,exit -F arch=b32 -S delete_module -k module-change' +- state: present +- create: true +- +-- name: Inserts/replaces the delete_module rule in rules.d on x86_64 +- lineinfile: +- path: '{{ all_files[0] }}' +- line: '-a always,exit -F arch=b64 -S delete_module -k module-change' +- state: present +- create: true +- when: audit_arch is defined and audit_arch == 'b64' +- +-# Inserts/replaces the delete_modules rule in /etc/audit/audit.rules +- +-- name: Inserts/replaces the delete_module rule in audit.rules +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F arch=b32 -S delete_module -k module-change' +- create: true +- +-- name: Inserts/replaces the delete_module rule in audit.rules when on x86_64 +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F arch=b64 -S delete_module -k module-change' +- create: true +- when: audit_arch is defined and audit_arch == 'b64' ++- name: Perform remediattion of Audit rules for delete_module for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["delete_module"], ++ key="module-change", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["delete_module"], ++ key="module-change", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ ++- name: Perform remediattion of Audit rules for delete_module for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["delete_module"], ++ key="module-change", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["delete_module"], ++ key="module-change", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +index 3f3c3e3d947..268f0a57f11 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +@@ -10,54 +10,41 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# Inserts/replaces the rule in /etc/audit/rules.d +- +-- name: Search /etc/audit/rules.d for audit rule entries +- find: +- paths: /etc/audit/rules.d +- recurse: false +- contains: ^.*finit_module.*$ +- patterns: '*.rules' +- register: find_finit_module +- +-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/privileged.rules +- when: find_finit_module.matched is defined and find_finit_module.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}' +- when: find_finit_module.matched is defined and find_finit_module.matched > 0 +- +-- name: Inserts/replaces the finit_module rule in rules.d +- lineinfile: +- path: '{{ all_files[0] }}' +- line: '-a always,exit -F arch=b32 -S finit_module -k module-change' +- state: present +- create: true +- +-- name: Inserts/replaces the finit_module rule in rules.d on x86_64 +- lineinfile: +- path: '{{ all_files[0] }}' +- line: '-a always,exit -F arch=b64 -S finit_module -k module-change' +- state: present +- create: true +- when: audit_arch is defined and audit_arch == 'b64' +- +-# Inserts/replaces the finit_modules rule in /etc/audit/audit.rules +- +-- name: Inserts/replaces the finit_module rule in audit.rules +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F arch=b32 -S finit_module -k module-change' +- create: true +- +-- name: Inserts/replaces the finit_module rule in audit.rules when on x86_64 +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F arch=b64 -S finit_module -k module-change' +- create: true +- when: audit_arch is defined and audit_arch == 'b64' ++- name: Perform remediattion of Audit rules for finit_module for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["finit_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["finit_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ ++- name: Perform remediattion of Audit rules for finit_module for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["finit_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["finit_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +index 3f58125065b..2155a1835c6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +@@ -10,53 +10,41 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# Inserts/replaces the rule in /etc/audit/rules.d +- +-- name: Search /etc/audit/rules.d for audit rule entries +- find: +- paths: /etc/audit/rules.d +- recurse: false +- contains: ^.*init_module.*$ +- patterns: '*.rules' +- register: find_init_module +- +-- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/privileged.rules +- when: find_init_module.matched is defined and find_init_module.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' +- when: find_init_module.matched is defined and find_init_module.matched > 0 +- +-- name: Inserts/replaces the init_module rule in rules.d +- lineinfile: +- path: '{{ all_files[0] }}' +- line: '-a always,exit -F arch=b32 -S init_module -k module-change' +- state: present +- create: true +- +-- name: Inserts/replaces the init_module rule in rules.d on x86_64 +- lineinfile: +- path: '{{ all_files[0] }}' +- line: '-a always,exit -F arch=b64 -S init_module -k module-change' +- state: present +- create: true +- when: audit_arch is defined and audit_arch == 'b64' +- +-# Inserts/replaces the init_modules rule in /etc/audit/audit.rules +- +-- name: Inserts/replaces the init_module rule in audit.rules +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F arch=b32 -S init_module -k module-change' +- create: true +-- name: Inserts/replaces the init_module rule in audit.rules when on x86_64 +- lineinfile: +- path: /etc/audit/audit.rules +- line: '-a always,exit -F arch=b64 -S init_module -k module-change' +- create: true +- when: audit_arch is defined and audit_arch == 'b64' ++- name: Perform remediattion of Audit rules for init_module for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["init_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b32", ++ other_filters="", ++ auid_filters="", ++ syscalls=["init_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ ++- name: Perform remediattion of Audit rules for init_module for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["init_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit -F arch=b64", ++ other_filters="", ++ auid_filters="", ++ syscalls=["init_module"], ++ key="module-change", ++ syscall_grouping=["init_module","finit_module"], ++ )|indent(4) }}} ++ when: audit_arch == "b64" + +From 98843a14147ea7db9d6ef96580ed4b8e9c15f67f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 19:31:15 +0200 +Subject: [PATCH 21/31] Update directory_access_var_log_audit to use Ansible + macro + +Also fix a bug in Bash remediation, there should be no arch. +--- + .../ansible/shared.yml | 51 +++++++------------ + .../bash/shared.sh | 2 +- + 2 files changed, 19 insertions(+), 34 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +index 31b65a0833c..bc6e929372f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +@@ -3,36 +3,21 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- name: Search /etc/audit/rules.d for audit rule entries +- find: +- paths: /etc/audit/rules.d +- recurse: false +- contains: ^.*dir=/var/log/audit/.*$ +- patterns: '*.rules' +- register: find_var_log_audit +- +-- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/access-audit-trail.rules +- when: find_var_log_audit.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}' +- when: find_var_log_audit.matched > 0 +- +-- name: Inserts/replaces the /var/log/audit/ rule in rules.d +- lineinfile: +- path: '{{ all_files[0] }}' +- line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset +- -F key=access-audit-trail +- create: true +- +-- name: Inserts/replaces the /var/log/audit/ rule in audit.rules +- lineinfile: +- path: /etc/audit/audit.rules +- line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset +- -F key=access-audit-trail +- create: true ++- name: Perform remediattion of Audit rules for /var/log/audit ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule( ++ action_arch_filters="-a always,exit", ++ other_filters="-F dir=/var/log/audit/ -F perm=r", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=[], ++ key="access-audit-trail", ++ syscall_grouping=[], ++ )|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule( ++ action_arch_filters="-a always,exit", ++ other_filters="-F dir=/var/log/audit/ -F perm=r", ++ auid_filters="-F auid>="~auid~" -F auid!=unset", ++ syscalls=[], ++ key="access-audit-trail", ++ syscall_grouping=[], ++ )|indent(4) }}} +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +index 0c4e8ffdbd3..a8e4a71a9f8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh +@@ -3,7 +3,7 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" ++ACTION_ARCH_FILTERS="-a always,exit" + OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="" + +From 78664de349a993b36f02c17e25c5042ed075d9a7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Aug 2021 19:38:39 +0200 +Subject: [PATCH 22/31] Python style fixes + +--- + shared/templates/audit_rules_dac_modification/template.py | 2 +- + shared/templates/audit_rules_file_deletion_events/template.py | 3 +-- + shared/templates/audit_rules_path_syscall/template.py | 2 +- + .../audit_rules_unsuccessful_file_modification/template.py | 3 +-- + 4 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/shared/templates/audit_rules_dac_modification/template.py b/shared/templates/audit_rules_dac_modification/template.py +index eebd0b6f4ee..17187826e62 100644 +--- a/shared/templates/audit_rules_dac_modification/template.py ++++ b/shared/templates/audit_rules_dac_modification/template.py +@@ -10,7 +10,7 @@ def preprocess(data, lang): + elif lang == "ansible": + if "attr" in data: + # Tranform the syscall into a Ansible list +- data["attr"] = [ data["attr"] ] ++ data["attr"] = [data["attr"]] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] +diff --git a/shared/templates/audit_rules_file_deletion_events/template.py b/shared/templates/audit_rules_file_deletion_events/template.py +index 1141a99826b..4916d892521 100644 +--- a/shared/templates/audit_rules_file_deletion_events/template.py ++++ b/shared/templates/audit_rules_file_deletion_events/template.py +@@ -10,7 +10,7 @@ def _audit_rules_file_deletion_events(data, lang): + if "name" in data: + # Tranform the syscall into a Ansible list + # The syscall is under 'name' +- data["name"] = [ data["name"] ] ++ data["name"] = [data["name"]] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] +@@ -19,4 +19,3 @@ def _audit_rules_file_deletion_events(data, lang): + + def preprocess(data, lang): + return _audit_rules_file_deletion_events(data, lang) +- +diff --git a/shared/templates/audit_rules_path_syscall/template.py b/shared/templates/audit_rules_path_syscall/template.py +index c13f34b94e0..0f2966335b0 100644 +--- a/shared/templates/audit_rules_path_syscall/template.py ++++ b/shared/templates/audit_rules_path_syscall/template.py +@@ -14,7 +14,7 @@ def preprocess(data, lang): + elif lang == "ansible": + if "syscall" in data: + # Tranform the syscall into a Ansible list +- data["syscall"] = [ data["syscall"] ] ++ data["syscall"] = [data["syscall"]] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/template.py b/shared/templates/audit_rules_unsuccessful_file_modification/template.py +index 62abfad9a2c..dd9714457a2 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/template.py ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/template.py +@@ -10,7 +10,7 @@ def _audit_rules_unsuccessful_file_modification(data, lang): + if "name" in data: + # Tranform the syscall into a Ansible list + # The syscall is under 'name' +- data["name"] = [ data["name"] ] ++ data["name"] = [data["name"]] + if "syscall_grouping" not in data: + # Ensure that syscall_grouping is a list + data["syscall_grouping"] = [] +@@ -19,4 +19,3 @@ def _audit_rules_unsuccessful_file_modification(data, lang): + + def preprocess(data, lang): + return _audit_rules_unsuccessful_file_modification(data, lang) +- + +From 16df69710c8872bd6d348a60a0542fb2cafb0dc3 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 18 Aug 2021 10:22:32 +0200 +Subject: [PATCH 23/31] Fix typo in Ansible remediarion for + unsuccessful_file_modification + +--- + .../audit_rules_unsuccessful_file_modification/bash/shared.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +index bf931e46430..5cb4dbe6f4a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/bash/shared.sh +@@ -12,7 +12,7 @@ do + + # First fix the -EACCES requirement + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" +- OTHER_FILTERS="-F exit=EACCES" ++ OTHER_FILTERS="-F exit=-EACCES" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="creat open openat open_by_handle_at truncate ftruncate" + KEY="access" +@@ -24,7 +24,7 @@ do + # Then fix the -EPERM requirement + # No need to change content of $GROUP variable - it's the same as for -EACCES case above + ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" +- OTHER_FILTERS="-F exit=EPERM" ++ OTHER_FILTERS="-F exit=-EPERM" + AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" + SYSCALL="creat open openat open_by_handle_at truncate ftruncate" + KEY="access" + +From d761a6498f8e3e64810e7b06cbf04837d0ae8975 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 18 Aug 2021 10:23:50 +0200 +Subject: [PATCH 24/31] Check all relevant syscalls in Ansible macro + +The Ansible macros for audit syscall rules should check the target +syscall and the groupable syscalls during 'find' task. + +When 'syscall_grouping' was empty, the remediation would simply +execute the 'Add a new rule' task. +If the key was different, a new duplicate rule would be added. + +Also removes extra syscalls declaration task. +--- + shared/macros-ansible.jinja | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index a067742b1f4..1af5ed3dd95 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -420,7 +420,7 @@ The macro requires following parameters: + contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' + patterns: '*.rules' + register: find_command +- loop: '{{ syscall_grouping }}' ++ loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}" +@@ -504,7 +504,7 @@ The macro requires following parameters: + contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' + patterns: 'audit.rules' + register: find_command +- loop: '{{ syscall_grouping }}' ++ loop: '{{ (syscall_grouping + syscalls) | unique }}' + + - name: Set path to /etc/audit/rules.d/{{{ key }}}.rules + set_fact: audit_file="/etc/audit/audit.rules" +@@ -532,10 +532,6 @@ The macro requires following parameters: + create: true + state: present + when: syscalls_found | length == 0 +-- name: Declare list of syscals +- set_fact: +- syscalls: {{{ syscalls }}} +- + {{%- endmacro %}} + + {{% macro ansible_sssd_ldap_config(parameter, value) -%}} + +From 2a2697e49809f14c0f1af81940c6198691e9af94 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 18 Aug 2021 10:35:10 +0200 +Subject: [PATCH 25/31] Improve task titles of audit macros and templates + +--- + shared/macros-ansible.jinja | 6 +++--- + .../templates/audit_rules_dac_modification/ansible.template | 6 +++--- + .../audit_rules_file_deletion_events/ansible.template | 6 +++--- + shared/templates/audit_rules_path_syscall/ansible.template | 6 +++--- + .../ansible.template | 6 +++--- + 5 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 1af5ed3dd95..b5574da29ac 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -414,7 +414,7 @@ The macro requires following parameters: + syscalls: {{{ syscalls }}} + syscall_grouping: {{{ syscall_grouping }}} + +-- name: Check existence of syscalls for in /etc/audit/rules.d/ ++- name: Check existence of {{{ syscalls | join(", ") }}} in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' +@@ -498,7 +498,7 @@ The macro requires following parameters: + syscalls: {{{ syscalls }}} + syscall_grouping: {{{ syscall_grouping }}} + +-- name: Check existence of syscalls for in /etc/audit/rules.d/ ++- name: Check existence of {{{ syscalls | join(", ") }}} in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: '{{{ action_arch_filters }}}(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*{{{ other_filters }}}{{{ auid_filters }}} (-k\s+|-F\s+key=)\S+\s*$' +@@ -506,7 +506,7 @@ The macro requires following parameters: + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + +-- name: Set path to /etc/audit/rules.d/{{{ key }}}.rules ++- name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + + - name: Declare found syscalls +diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template +index d2ce6c50052..ea6fd94ff4b 100644 +--- a/shared/templates/audit_rules_dac_modification/ansible.template ++++ b/shared/templates/audit_rules_dac_modification/ansible.template +@@ -7,11 +7,11 @@ + # + # What architecture are we on? + # +-- name: Set architecture for audit {{{ ATTR }}} tasks ++- name: Set architecture for audit {{{ ATTR | join(", ") }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86 platform ++- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -48,7 +48,7 @@ + )|indent(4) }}} + {{%- endif %}} + +-- name: Perform remediattion of Audit rules for {{{ ATTR }}} for x86_64 platform ++- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template +index ec732133838..0044dc459dc 100644 +--- a/shared/templates/audit_rules_file_deletion_events/ansible.template ++++ b/shared/templates/audit_rules_file_deletion_events/ansible.template +@@ -7,11 +7,11 @@ + # + # What architecture are we on? + # +-- name: Set architecture for audit {{{ NAME }}} tasks ++- name: Set architecture for audit {{{ NAME| join(", ") }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86 platform ++- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -30,7 +30,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for {{{ NAME }}} for x86_64 platform ++- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template +index 20440a36237..2875aff3573 100644 +--- a/shared/templates/audit_rules_path_syscall/ansible.template ++++ b/shared/templates/audit_rules_path_syscall/ansible.template +@@ -7,11 +7,11 @@ + # + # What architecture are we on? + # +-- name: Set architecture for audit {{{ SYSCALL }}} tasks ++- name: Set architecture for audit {{{ SYSCALL | join(", ") }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86 platform ++- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -30,7 +30,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for {{{ SYSCALL }}} for x86_64 platform ++- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +index cb5decc6a6e..a8fdc3978b1 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +@@ -7,12 +7,12 @@ + # + # What architecture are we on? + # +-- name: Set architecture for audit {{{ NAME }}} tasks ++- name: Set architecture for audit {{{ NAME | join(", ") }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + + {{% for EXIT_CODE in ["EACCES","EPERM"] %}} +-- name: Perform remediation of Audit rules for {{{ NAME }}} {{{ EXIT_CODE}}} for x86 platform ++- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE}}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -31,7 +31,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for {{{ NAME }}} {{{ EXIT_CODE }}} for x86_64 platform ++- name: Perform remediattion of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + +From 6dd2a0388e025bbbb00bea15c999cc09e140afce Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 18 Aug 2021 13:49:07 +0200 +Subject: [PATCH 26/31] Fix typo in audit task block title + +--- + .../ansible/shared.yml | 4 ++-- + .../ansible/shared.yml | 4 ++-- + .../audit_rules_kernel_module_loading_init/ansible/shared.yml | 4 ++-- + .../directory_access_var_log_audit/ansible/shared.yml | 2 +- + .../templates/audit_rules_dac_modification/ansible.template | 4 ++-- + .../audit_rules_file_deletion_events/ansible.template | 4 ++-- + shared/templates/audit_rules_path_syscall/ansible.template | 4 ++-- + .../audit_rules_privileged_commands/ansible.template | 2 +- + .../ansible.template | 2 +- + 9 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +index 863ba6f0134..f5469c0ebf9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +@@ -10,7 +10,7 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for delete_module for x86 platform ++- name: Perform remediation of Audit rules for delete_module for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -29,7 +29,7 @@ + syscall_grouping=[], + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for delete_module for x86_64 platform ++- name: Perform remediation of Audit rules for delete_module for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +index 268f0a57f11..2e0780af564 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +@@ -10,7 +10,7 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for finit_module for x86 platform ++- name: Perform remediation of Audit rules for finit_module for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -29,7 +29,7 @@ + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for finit_module for x86_64 platform ++- name: Perform remediation of Audit rules for finit_module for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +index 2155a1835c6..6f6bd1826bc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +@@ -10,7 +10,7 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for init_module for x86 platform ++- name: Perform remediation of Audit rules for init_module for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -29,7 +29,7 @@ + syscall_grouping=["init_module","finit_module"], + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for init_module for x86_64 platform ++- name: Perform remediation of Audit rules for init_module for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +index bc6e929372f..ec17adf5525 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- name: Perform remediattion of Audit rules for /var/log/audit ++- name: Perform remediation of Audit rules for /var/log/audit + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit", +diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template +index ea6fd94ff4b..2c006b451c4 100644 +--- a/shared/templates/audit_rules_dac_modification/ansible.template ++++ b/shared/templates/audit_rules_dac_modification/ansible.template +@@ -11,7 +11,7 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform ++- name: Perform remediation of Audit rules for {{{ ATTR | join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -48,7 +48,7 @@ + )|indent(4) }}} + {{%- endif %}} + +-- name: Perform remediattion of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform ++- name: Perform remediation of Audit rules for {{{ ATTR | join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template +index 0044dc459dc..3bb07579463 100644 +--- a/shared/templates/audit_rules_file_deletion_events/ansible.template ++++ b/shared/templates/audit_rules_file_deletion_events/ansible.template +@@ -11,7 +11,7 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86 platform ++- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -30,7 +30,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform ++- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/shared/templates/audit_rules_path_syscall/ansible.template b/shared/templates/audit_rules_path_syscall/ansible.template +index 2875aff3573..fcd2bda3bab 100644 +--- a/shared/templates/audit_rules_path_syscall/ansible.template ++++ b/shared/templates/audit_rules_path_syscall/ansible.template +@@ -11,7 +11,7 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform ++- name: Perform remediation of Audit rules for {{{ SYSCALL | join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -30,7 +30,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform ++- name: Perform remediation of Audit rules for {{{ SYSCALL | join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", +diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template +index b1788b59b8a..e9ef084984a 100644 +--- a/shared/templates/audit_rules_privileged_commands/ansible.template ++++ b/shared/templates/audit_rules_privileged_commands/ansible.template +@@ -7,7 +7,7 @@ + # complexity = low + # disruption = low + +-- name: Perform remediattion of Audit rules for {{{ PATH }}} ++- name: Perform remediation of Audit rules for {{{ PATH }}} + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit", +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +index a8fdc3978b1..6cf90e11863 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +@@ -31,7 +31,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediattion of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform ++- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} {{{ EXIT_CODE }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + +From fe88dfbf2b4c7acd0a196512d2868f19b9b89f33 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 18 Aug 2021 17:21:32 +0200 +Subject: [PATCH 27/31] Reset the tracking of syscalls found per file + +When running a playbook profile, they were accumulating over the entire +run. +--- + shared/macros-ansible.jinja | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index b5574da29ac..b26966238a2 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -422,15 +422,20 @@ The macro requires following parameters: + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + ++- name: Reset syscalls found per file ++ set_fact: ++ syscalls_per_file: {} ++ found_paths_dict: {} ++ + - name: Declare syscalls found per file +- set_fact: syscalls_per_file="{{ syscalls_per_file | default({}) | combine( {item.files[0].path :[item.item]+(syscalls_per_file | default({})).get(item.files[0].path, []) } ) }}" ++ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: "{{ find_command.results | selectattr('matched') | list}}" + + - name: Declare files where syscalls where found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths +- set_fact: found_paths_dict="{{ found_paths_dict | default({}) | combine({ item:1+(found_paths_dict | default({})).get(item, 0) }) }}" ++ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: "{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + + - name: Get path with most syscalls + +From 34a66912886e979fac132346074e556c36336b0c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Aug 2021 12:32:25 +0200 +Subject: [PATCH 28/31] Create audit rules without permissions for others + +--- + shared/bash_remediation_functions/fix_audit_syscall_rule.sh | 1 + + shared/macros-ansible.jinja | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 5cc130a0236..d95aedba395 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -204,6 +204,7 @@ then + local auid_string=$([[ $auid_filters ]] && echo " $auid_filters") + local full_rule="${action_arch_filters}${syscall_string}${other_string}${auid_string} -F key=${key}" + echo "$full_rule" >> "$default_file" ++ chmod o-rwx ${default_file} + else + # Check if the syscalls are declared as a comma separated list or + # as multiple -S parameters +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index b26966238a2..6c9c53a07db 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -467,6 +467,7 @@ The macro requires following parameters: + path: '{{ audit_file }}' + line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + create: true ++ mode: o-rwx + state: present + when: syscalls_found | length == 0 + {{%- endmacro %}} +@@ -535,6 +536,7 @@ The macro requires following parameters: + path: '{{ audit_file }}' + line: "{{{ action_arch_filters }}}{{{ syscall_flag }}}{{ syscalls | join(',') }}{{{ other_filters }}}{{{ auid_filters}}} -F key={{{ key }}}" + create: true ++ mode: o-rwx + state: present + when: syscalls_found | length == 0 + {{%- endmacro %}} + +From 181a0f9aacbcf7340ce0931907bd7ae1db0cf478 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Aug 2021 14:48:08 +0200 +Subject: [PATCH 29/31] Remove trailing space from perm field + +Otherwise the rule will be added with two spaces between other_filters +and auid_filters. +--- + shared/templates/audit_rules_privileged_commands/bash.template | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template +index b5879085a45..5af362df800 100644 +--- a/shared/templates/audit_rules_privileged_commands/bash.template ++++ b/shared/templates/audit_rules_privileged_commands/bash.template +@@ -1,5 +1,5 @@ + {{%- if product in ["rhel8", "rhel9", "sle12", "sle15"] %}} +- {{%- set perm_x=" -F perm=x " %}} ++ {{%- set perm_x=" -F perm=x" %}} + {{%- endif %}} + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + +From c94454fd4409b69e24012b006266637e17982be8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Aug 2021 14:54:57 +0200 +Subject: [PATCH 30/31] Fix typos in task titles + +--- + shared/macros-ansible.jinja | 2 +- + .../audit_rules_file_deletion_events/ansible.template | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 6c9c53a07db..ed3881d054c 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -431,7 +431,7 @@ The macro requires following parameters: + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" + loop: "{{ find_command.results | selectattr('matched') | list}}" + +-- name: Declare files where syscalls where found ++- name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + + - name: Count occurrences of syscalls in paths +diff --git a/shared/templates/audit_rules_file_deletion_events/ansible.template b/shared/templates/audit_rules_file_deletion_events/ansible.template +index 3bb07579463..f09ce12d87a 100644 +--- a/shared/templates/audit_rules_file_deletion_events/ansible.template ++++ b/shared/templates/audit_rules_file_deletion_events/ansible.template +@@ -7,11 +7,11 @@ + # + # What architecture are we on? + # +-- name: Set architecture for audit {{{ NAME| join(", ") }}} tasks ++- name: Set architecture for audit {{{ NAME | join(", ") }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86 platform ++- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} for x86 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b32", +@@ -30,7 +30,7 @@ + syscall_grouping=SYSCALL_GROUPING, + )|indent(4) }}} + +-- name: Perform remediation of Audit rules for {{{ NAME| join(", ") }}} for x86_64 platform ++- name: Perform remediation of Audit rules for {{{ NAME | join(", ") }}} for x86_64 platform + block: + {{{ ansible_audit_augenrules_add_syscall_rule( + action_arch_filters="-a always,exit -F arch=b64", + +From a5e99060b4856298ffc9f2a75a611a2eefb9b4de Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Aug 2021 15:35:25 +0200 +Subject: [PATCH 31/31] Fix Ansible linter issue + +Variables should have spaces before and after +--- + shared/macros-ansible.jinja | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index ed3881d054c..b9536439c50 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -429,7 +429,7 @@ The macro requires following parameters: + + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" +- loop: "{{ find_command.results | selectattr('matched') | list}}" ++ loop: "{{ find_command.results | selectattr('matched') | list }}" + + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" diff --git a/SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch b/SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch new file mode 100644 index 0000000..e38943c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-ism_ks-PR_7392.patch @@ -0,0 +1,256 @@ +From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 13:08:10 +0200 +Subject: [PATCH] Add ISM Official kickstarts + +--- + .../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg | 116 ++++++++++++++++++ + .../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg | 116 ++++++++++++++++++ + 2 files changed, 232 insertions(+) + create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg + +diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg +new file mode 100644 +index 0000000000..d84d98b12d +--- /dev/null ++++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg +@@ -0,0 +1,116 @@ ++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2021-08-16 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ism_o ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg +new file mode 100644 +index 0000000000..517919539a +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg +@@ -0,0 +1,116 @@ ++# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-16 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_ism_o ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch b/SOURCES/scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch new file mode 100644 index 0000000..b27575c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch @@ -0,0 +1,33 @@ +From 0d04f65d53b83690769f7baee48ec64e785b0e00 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 23 Aug 2021 11:33:28 +0200 +Subject: [PATCH] Mark agent_mfetpd_running as machine only. + +--- + .../mcafee_endpoint_security_software/group.yml | 2 ++ + .../package_mcafeetp_installed/rule.yml | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml +index f2e4e89851..b915311533 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml +@@ -5,3 +5,5 @@ title: 'McAfee Endpoint Security for Linux (ENSL)' + description: |- + McAfee Endpoint Security for Linux (ENSL) is a suite of software applications + used to monitor, detect, and defend computer networks and systems. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +index 16587792ef..4c7dc8d7a2 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +@@ -37,8 +37,6 @@ warnings: + Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, + automated remediation is not available for this configuration check. + +-platform: machine +- + template: + name: package_installed + vars: diff --git a/SOURCES/scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch b/SOURCES/scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch new file mode 100644 index 0000000..f14e270 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch @@ -0,0 +1,63 @@ +From 8fa9ca61649a36dd1f3d5e5c72c0162a4dbfe694 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 10 Aug 2021 09:45:56 +0200 +Subject: [PATCH] Remove RHEL-08-040162 from STIG profile. + +This item has been removed in version RHEL8 DISA STIG V1R3. +--- + .../services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 1 - + products/rhel8/profiles/stig.profile | 3 --- + tests/data/profile_stability/rhel8/stig.profile | 1 - + tests/data/profile_stability/rhel8/stig_gui.profile | 1 - + 4 files changed, 6 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +index 1852313216a..f43f92c2f15 100644 +--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +@@ -32,7 +32,6 @@ references: + disa: CCI-000068 + ospp: FCS_SSHS_EXT.1 + srg: SRG-OS-000423-GPOS-00187,SRG-OS-000033-GPOS-00014 +- stigid@rhel8: RHEL-08-040162 + + ocil_clause: 'it is commented out or is not set' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index a358f61dba5..9d4d1965141 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1071,9 +1071,6 @@ selections: + # RHEL-08-040161 + - sshd_rekey_limit + +- # RHEL-08-040162 +- - ssh_client_rekey_limit +- + # RHEL-08-040170 + - disable_ctrlaltdel_reboot + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 7d54a7505fb..fca5842cf22 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -323,7 +323,6 @@ selections: + - service_usbguard_enabled + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_systemauth +-- ssh_client_rekey_limit + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 97291230e7c..35fa9ddea2b 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -334,7 +334,6 @@ selections: + - service_usbguard_enabled + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_systemauth +-- ssh_client_rekey_limit + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth diff --git a/SOURCES/scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch b/SOURCES/scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch new file mode 100644 index 0000000..2d7e09b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch @@ -0,0 +1,490 @@ +From ee2da171d5a76202b2aef8231c5af6f97ef156ef Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 10:36:30 +0200 +Subject: [PATCH 1/2] add rhel7 kickstarts for cis + +--- + products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 4 +- + .../kickstart/ssg-rhel7-cis_server_l1-ks.cfg | 136 ++++++++++++++++ + .../ssg-rhel7-cis_workstation_l1-ks.cfg | 137 ++++++++++++++++ + .../ssg-rhel7-cis_workstation_l2-ks.cfg | 147 ++++++++++++++++++ + 4 files changed, 422 insertions(+), 2 deletions(-) + create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg + create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg + create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg + +diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +index 6ead435b978..00edb9d536c 100644 +--- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg ++++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +@@ -1,6 +1,6 @@ +-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 7 Server ++# SCAP Security Guide CIS profile (Leve 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server + # Version: 0.0.1 +-# Date: 2020-03-30 ++# Date: 2021-08-12 + # + # Based on: + # https://pykickstart.readthedocs.io/en/latest/ +diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg +new file mode 100644 +index 00000000000..333105c4f9e +--- /dev/null ++++ b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg +@@ -0,0 +1,136 @@ ++# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_server_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg +new file mode 100644 +index 00000000000..7ca9fe8558b +--- /dev/null ++++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg +@@ -0,0 +1,137 @@ ++# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg +new file mode 100644 +index 00000000000..b9bff5f390e +--- /dev/null ++++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg +@@ -0,0 +1,147 @@ ++# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject + +From 92e84a2c1b302291aa8ffbc08ae3e4ffabd5dfe7 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 18 Aug 2021 14:24:34 +0200 +Subject: [PATCH 2/2] Fix typo in the CIS kickstart +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Jan Černý +--- + products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +index 00edb9d536c..7062e2974ad 100644 +--- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg ++++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +@@ -1,4 +1,4 @@ +-# SCAP Security Guide CIS profile (Leve 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server ++# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server + # Version: 0.0.1 + # Date: 2021-08-12 + # diff --git a/SOURCES/scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch b/SOURCES/scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch new file mode 100644 index 0000000..05430fe --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch @@ -0,0 +1,302 @@ +From 5f8264ed7c5580fdd013810a713ab9b3b296bf4a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Mon, 9 Aug 2021 11:46:22 +0100 +Subject: [PATCH] Update RHEL 8 CIS references to match benchmark 1.0.1 + +--- + .../file_groupowner_backup_etc_group/rule.yml | 2 +- + .../file_groupowner_backup_etc_gshadow/rule.yml | 2 +- + .../file_groupowner_backup_etc_passwd/rule.yml | 2 +- + .../file_groupowner_backup_etc_shadow/rule.yml | 2 +- + .../file_groupowner_etc_group/rule.yml | 2 +- + .../file_groupowner_etc_gshadow/rule.yml | 2 +- + .../file_groupowner_etc_shadow/rule.yml | 2 +- + .../file_owner_backup_etc_group/rule.yml | 2 +- + .../file_owner_backup_etc_gshadow/rule.yml | 2 +- + .../file_owner_backup_etc_passwd/rule.yml | 2 +- + .../file_owner_backup_etc_shadow/rule.yml | 2 +- + .../file_owner_etc_group/rule.yml | 2 +- + .../file_owner_etc_gshadow/rule.yml | 2 +- + .../file_owner_etc_shadow/rule.yml | 2 +- + .../file_permissions_backup_etc_group/rule.yml | 2 +- + .../file_permissions_backup_etc_gshadow/rule.yml | 2 +- + .../file_permissions_backup_etc_passwd/rule.yml | 2 +- + .../file_permissions_backup_etc_shadow/rule.yml | 2 +- + .../file_permissions_etc_group/rule.yml | 2 +- + .../file_permissions_etc_gshadow/rule.yml | 2 +- + .../file_permissions_etc_shadow/rule.yml | 2 +- + 21 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +index c4a7f19b94..fdbdbb08ad 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +@@ -18,7 +18,7 @@ identifiers: + + references: + cis@rhel7: 6.1.9 +- cis@rhel8: 6.1.8 ++ cis@rhel8: 6.1.9 + cis@ubuntu2004: 6.1.8 + + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/group-", group="root") }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +index 5348e80954..f1f7c7a4d6 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +@@ -23,7 +23,7 @@ identifiers: + + references: + cis@rhel7: 6.1.6 +- cis@rhel8: 6.1.9 ++ cis@rhel8: 6.1.7 + cis@ubuntu2004: 6.1.3 + + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +index 170f6412cf..26ff82fb51 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +@@ -18,7 +18,7 @@ identifiers: + + references: + cis@rhel7: 6.1.3 +- cis@rhel8: 6.1.6 ++ cis@rhel8: 6.1.3 + cis@ubuntu2004: 6.1.6 + + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/passwd-", group="root") }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +index ce50f98e3f..07a3d919e2 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +@@ -24,7 +24,7 @@ identifiers: + + references: + cis@rhel7: 6.1.5 +- cis@rhel8: 6.1.7 ++ cis@rhel8: 6.1.5 + cis@ubuntu2004: 6.1.7 + + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group=target_group) }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +index 050dd198c3..7c3c3ac1d2 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +@@ -18,7 +18,7 @@ identifiers: + references: + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.8 +- cis@rhel8: 6.1.4 ++ cis@rhel8: 6.1.8 + cis@ubuntu2004: 6.1.5 + cjis: 5.5.2.2 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +index 4d4e3ff788..ca65dbc5af 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +@@ -24,7 +24,7 @@ identifiers: + references: + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.7 +- cis@rhel8: 6.1.5 ++ cis@rhel8: 6.1.6 + cis@ubuntu2004: 6.1.9 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + isa-62443-2009: 4.3.3.7.3 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +index 2af088f528..d59a34ef04 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +@@ -24,7 +24,7 @@ identifiers: + references: + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.4 +- cis@rhel8: 6.1.3 ++ cis@rhel8: 6.1.4 + cis@ubuntu2004: 6.1.4 + cjis: 5.5.2.2 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +index 9021403357..2f2f475abf 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +@@ -18,7 +18,7 @@ identifiers: + + references: + cis@rhel7: 6.1.9 +- cis@rhel8: 6.1.8 ++ cis@rhel8: 6.1.9 + cis@ubuntu2004: 6.1.8 + + ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/group-", owner="root") }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +index 3f25afef5f..afbcd11696 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +@@ -17,7 +17,7 @@ identifiers: + + references: + cis@rhel7: 6.1.6 +- cis@rhel8: 6.1.9 ++ cis@rhel8: 6.1.7 + cis@ubuntu2004: 6.1.3 + + ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow-", owner="root") }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +index d16f370572..8a3af3ae70 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +@@ -18,7 +18,7 @@ identifiers: + + references: + cis@rhel7: 6.1.3 +- cis@rhel8: 6.1.6 ++ cis@rhel8: 6.1.3 + cis@ubuntu2004: 6.1.6 + + ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/passwd-", owner="root") }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +index 7ef757c006..508bc355c3 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +@@ -18,7 +18,7 @@ identifiers: + + references: + cis@rhel7: 6.1.5 +- cis@rhel8: 6.1.7 ++ cis@rhel8: 6.1.5 + cis@ubuntu2004: 6.1.7 + + ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow-", owner="root") }}}' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +index 90fd7b08eb..8e2cb53c67 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +@@ -18,7 +18,7 @@ identifiers: + references: + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.8 +- cis@rhel8: 6.1.4 ++ cis@rhel8: 6.1.8 + cis@sle15: 6.1.6 + cis@ubuntu2004: 6.1.5 + cjis: 5.5.2.2 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +index cb16d61e88..fb91cee6d7 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +@@ -19,7 +19,7 @@ references: + anssi: BP28(R36) + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.7 +- cis@rhel8: 6.1.5 ++ cis@rhel8: 6.1.6 + cis@ubuntu2004: 6.1.9 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + isa-62443-2009: 4.3.3.7.3 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +index 7c56014953..1099e5e7cc 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +@@ -22,7 +22,7 @@ references: + anssi: BP28(R36) + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.4 +- cis@rhel8: 6.1.3 ++ cis@rhel8: 6.1.4 + cis@ubuntu2004: 6.1.4 + cjis: 5.5.2.2 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +index 11f3818332..5d165a606e 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +@@ -19,7 +19,7 @@ identifiers: + + references: + cis@rhel7: 6.1.9 +- cis@rhel8: 6.1.8 ++ cis@rhel8: 6.1.9 + cis@sle15: 6.1.9 + cis@ubuntu2004: 6.1.8 + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +index 05208fee37..9fd8981485 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +@@ -26,7 +26,7 @@ identifiers: + + references: + cis@rhel7: 6.1.6 +- cis@rhel8: 6.1.9 ++ cis@rhel8: 6.1.7 + cis@sle15: 6.1.3 + cis@ubuntu2004: 6.1.3 + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +index 6de0c5f703..67191c872d 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +@@ -19,7 +19,7 @@ identifiers: + + references: + cis@rhel7: 6.1.3 +- cis@rhel8: 6.1.6 ++ cis@rhel8: 6.1.3 + cis@sle15: 6.1.7 + cis@ubuntu2004: 6.1.6 + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +index c9a4fce34c..685427c0a0 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +@@ -27,7 +27,7 @@ identifiers: + + references: + cis@rhel7: 6.1.5 +- cis@rhel8: 6.1.7 ++ cis@rhel8: 6.1.5 + cis@sle15: 6.1.8 + cis@ubuntu2004: 6.1.7 + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +index 1333bcb57b..fbf650b26d 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +@@ -20,7 +20,7 @@ references: + anssi: BP28(R36) + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.8 +- cis@rhel8: 6.1.4 ++ cis@rhel8: 6.1.8 + cis@sle15: 6.1.6 + cis@ubuntu2004: 6.1.5 + cjis: 5.5.2.2 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +index c9b3495381..02404617c1 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +@@ -28,7 +28,7 @@ references: + anssi: BP28(R36) + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.7 +- cis@rhel8: 6.1.5 ++ cis@rhel8: 6.1.6 + cis@sle15: 6.1.2 + cis@ubuntu2004: 6.1.9 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +index acbc478ce9..ff4db782f0 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +@@ -31,7 +31,7 @@ references: + anssi: BP28(R36) + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel7: 6.1.4 +- cis@rhel8: 6.1.3 ++ cis@rhel8: 6.1.4 + cis@sle15: 6.1.5 + cis@ubuntu2004: 6.1.4 + cjis: 5.5.2.2 diff --git a/SOURCES/scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch b/SOURCES/scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch new file mode 100644 index 0000000..28dcffd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch @@ -0,0 +1,455 @@ +From b3dc8273ded33d8357239482cf07186b14e3cdd2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 10:54:59 +0200 +Subject: [PATCH] add kickstarts for rhel8 CIS profiles + +--- + products/rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 +- + .../kickstart/ssg-rhel8-cis_server_l1-ks.cfg | 133 ++++++++++++++++ + .../ssg-rhel8-cis_workstation_l1-ks.cfg | 133 ++++++++++++++++ + .../ssg-rhel8-cis_workstation_l2-ks.cfg | 143 ++++++++++++++++++ + 4 files changed, 411 insertions(+), 2 deletions(-) + create mode 100644 products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg + create mode 100644 products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg + create mode 100644 products/rhel8/kickstart/ssg-rhel8-cis_workstation_l2-ks.cfg + +diff --git a/products/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-cis-ks.cfg +index c3f31429036..d1bbb09c422 100644 +--- a/products/rhel8/kickstart/ssg-rhel8-cis-ks.cfg ++++ b/products/rhel8/kickstart/ssg-rhel8-cis-ks.cfg +@@ -1,6 +1,6 @@ +-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 8 Server ++# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 8 Server + # Version: 0.0.1 +-# Date: 2020-03-30 ++# Date: 2021-08-12 + # + # Based on: + # https://pykickstart.readthedocs.io/en/latest/ +diff --git a/products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg +new file mode 100644 +index 00000000000..b73d5c12d21 +--- /dev/null ++++ b/products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg +@@ -0,0 +1,133 @@ ++# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_server_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg +new file mode 100644 +index 00000000000..33bd9dd2560 +--- /dev/null ++++ b/products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg +@@ -0,0 +1,133 @@ ++# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel8/kickstart/ssg-rhel8-cis_workstation_l2-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-cis_workstation_l2-ks.cfg +new file mode 100644 +index 00000000000..79ca7fbc201 +--- /dev/null ++++ b/products/rhel8/kickstart/ssg-rhel8-cis_workstation_l2-ks.cfg +@@ -0,0 +1,143 @@ ++# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch new file mode 100644 index 0000000..e1deac7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch @@ -0,0 +1,687 @@ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +index 194d7dfe2dc..b6c5e7f4b0d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +@@ -37,7 +37,7 @@ ocil: |- + MACs are in use, run the following command: +
      $ sudo grep -i macs /etc/ssh/sshd_config
      + The output should contain only following MACs (or a subset) in the exact order: +-
      hmac-sha2-512,hmac-sha2-256
      ++
      MACs {{{ xccdf_value("sshd_approved_macs") }}}
      + + warnings: + - general: |- +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml +new file mode 100644 +index 00000000000..1c9dde77ee2 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml +@@ -0,0 +1,16 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("sshd_approved_macs") }}} ++ ++{{{ ansible_set_config_file( ++ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config', ++ file='/etc/crypto-policies/back-ends/openssh.config', ++ parameter='MACs', ++ value="{{ sshd_approved_macs }}", ++ create='yes', ++ prefix_regex='^.*' ++ ) ++}}} +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh +new file mode 100644 +index 00000000000..b26992ce183 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh +@@ -0,0 +1,13 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++. /usr/share/scap-security-guide/remediation_functions ++{{{ bash_instantiate_variables("sshd_approved_macs") }}} ++ ++{{{ set_config_file( ++ path="/etc/crypto-policies/back-ends/openssh.config", ++ parameter="MACs", ++ value="${sshd_approved_macs}", ++ create=true, ++ insensitive=false, ++ prefix_regex="^.*" ++ ) ++}}} +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml +new file mode 100644 +index 00000000000..5239af10612 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml +@@ -0,0 +1,35 @@ ++{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}} ++ ++ ++ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ PATH }}} ++ ^MACs.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ MACs ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml +new file mode 100644 +index 00000000000..1aeb987db2d +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml +@@ -0,0 +1,60 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config' ++ ++description: |- ++ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. ++ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be ++ set up incorrectly. ++ ++ To check that Crypto Policies settings are configured correctly, ensure that ++ /etc/crypto-policies/back-ends/openssh.config contains the following ++ line and is not commented out: ++ MACs hmac-sha2-512,hmac-sha2-256 ++ ++rationale: |- ++ Overriding the system crypto policy makes the behavior of the OpenSSH ++ client violate expectations, and makes system configuration more ++ fragmented. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85870-4 ++ ++references: ++ disa: CCI-001453 ++ nist: AC-17(2) ++ srg: SRG-OS-000250-GPOS-00093 ++ stigid@rhel8: RHEL-08-010290 ++ ++ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' ++ ++ocil: |- ++ To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run: ++
      $ grep -i macs /etc/crypto-policies/back-ends/openssh.config
      ++ and verify that the line matches: ++
      MACs hmac-sha2-512,hmac-sha2-256
      ++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ System Crypto Modules must be provided by a vendor that undergoes ++ FIPS-140 certifications. ++ FIPS-140 is applicable to all Federal agencies that use ++ cryptographic-based security systems to protect sensitive information ++ in computer and telecommunication systems (including voice systems) as ++ defined in Section 5131 of the Information Technology Management Reform ++ Act of 1996, Public Law 104-106. This standard shall be used in ++ designing and implementing cryptographic modules that Federal ++ departments and agencies operate or are operated for them under ++ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} ++ To meet this, the system has to have cryptographic software provided by ++ a vendor that has undergone this certification. This means providing ++ documentation, test results, design information, and independent third ++ party review by an accredited lab. While open source software is ++ capable of meeting this, it does not meet FIPS-140 unless the vendor ++ submits to this process. +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh +new file mode 100644 +index 00000000000..5a4b6887cba +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile ++else ++ echo "MACs ${sshd_approved_macs}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh +new file mode 100644 +index 00000000000..e713d254f9c +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile ++else ++ echo "#MACs ${sshd_approved_macs}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh +new file mode 100644 +index 00000000000..b8a63bec194 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile ++else ++ echo "MACs ${sshd_approved_macs}" > "$configfile" ++fi ++ ++# follow up with incorrect ++echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh +new file mode 100644 +index 00000000000..55ef3f58422 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++echo "" > $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh +new file mode 100644 +index 00000000000..9980a45681c +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*MACs.*$/MACs /" $configfile ++else ++ echo "MACs " > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +new file mode 100644 +index 00000000000..d1303d60746 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 ++incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile ++else ++ echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile" ++fi ++ ++# follow up with correct value ++echo "MACs ${sshd_approved_macs}" >> $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh +new file mode 100644 +index 00000000000..8b21af46896 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile ++else ++ echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh +new file mode 100644 +index 00000000000..2138caad319 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++# If file exists, remove it ++test -f $configfile && rm -f $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml +new file mode 100644 +index 00000000000..5ed618586ae +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml +@@ -0,0 +1,45 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("sshd_approved_macs") }}} ++ ++- name: "{{{ rule_title }}}: Set facts" ++ set_fact: ++ path: /etc/crypto-policies/back-ends/opensshserver.config ++ correct_value: "-oMACs={{ sshd_approved_macs }}" ++ ++- name: "{{{ rule_title }}}: Stat" ++ stat: ++ path: "{{ path }}" ++ follow: yes ++ register: opensshserver_file ++ ++- name: "{{{ rule_title }}}: Create" ++ lineinfile: ++ path: "{{ path }}" ++ line: "CRYPTO_POLICY='{{ correct_value }}'" ++ create: yes ++ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length ++ ++- name: "{{{ rule_title }}}" ++ block: ++ - name: "Existing value check" ++ lineinfile: ++ path: "{{ path }}" ++ create: false ++ regexp: "{{ correct_value }}" ++ state: absent ++ check_mode: true ++ changed_when: false ++ register: opensshserver ++ ++ - name: "Update/Correct value" ++ replace: ++ path: "{{ path }}" ++ regexp: (-oMACs=\S+) ++ replace: "{{ correct_value }}" ++ when: opensshserver.found is defined and opensshserver.found != 1 ++ ++ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh +new file mode 100644 +index 00000000000..790a2951bab +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh +@@ -0,0 +1,31 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++. /usr/share/scap-security-guide/remediation_functions ++{{{ bash_instantiate_variables("sshd_approved_macs") }}} ++ ++CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config ++correct_value="-oMACs=${sshd_approved_macs}" ++ ++# Test if file exists ++test -f ${CONF_FILE} || touch ${CONF_FILE} ++ ++# Ensure CRYPTO_POLICY is not commented out ++sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} ++ ++grep -q "'${correct_value}'" ${CONF_FILE} ++ ++if [[ $? -ne 0 ]]; then ++ # We need to get the existing value, using PCRE to maintain same regex ++ existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) ++ ++ if [[ ! -z ${existing_value} ]]; then ++ # replace existing_value with correct_value ++ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} ++ else ++ # ***NOTE*** # ++ # This probably means this file is not here or it's been modified ++ # unintentionally. ++ # ********** # ++ # echo correct_value to end ++ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} ++ fi ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml +new file mode 100644 +index 00000000000..18028157032 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml +@@ -0,0 +1,35 @@ ++{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}} ++ ++ ++ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ PATH }}} ++ ^(?!#).*(-oMACs=\S+).+$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ -oMACs= ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml +new file mode 100644 +index 00000000000..0fd107a1bbe +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml +@@ -0,0 +1,60 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config' ++ ++description: |- ++ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. ++ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be ++ set up incorrectly. ++ ++ To check that Crypto Policies settings are configured correctly, ensure that ++ /etc/crypto-policies/back-ends/opensshserver.config contains the following ++ text and is not commented out: ++ -oMACS=hmac-sha2-512,hmac-sha2-256 ++ ++rationale: |- ++ Overriding the system crypto policy makes the behavior of the OpenSSH ++ server violate expectations, and makes system configuration more ++ fragmented. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85899-3 ++ ++references: ++ disa: CCI-001453 ++ nist: AC-17(2) ++ srg: SRG-OS-000250-GPOS-00093 ++ stigid@rhel8: RHEL-08-010290 ++ ++ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' ++ ++ocil: |- ++ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: ++
      $ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
      ++ and verify that the line matches: ++
      -oMACS=hmac-sha2-512,hmac-sha2-256
      ++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ System Crypto Modules must be provided by a vendor that undergoes ++ FIPS-140 certifications. ++ FIPS-140 is applicable to all Federal agencies that use ++ cryptographic-based security systems to protect sensitive information ++ in computer and telecommunication systems (including voice systems) as ++ defined in Section 5131 of the Information Technology Management Reform ++ Act of 1996, Public Law 104-106. This standard shall be used in ++ designing and implementing cryptographic modules that Federal ++ departments and agencies operate or are operated for them under ++ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} ++ To meet this, the system has to have cryptographic software provided by ++ a vendor that has undergone this certification. This means providing ++ documentation, test results, design information, and independent third ++ party review by an accredited lab. While open source software is ++ capable of meeting this, it does not meet FIPS-140 unless the vendor ++ submits to this process. +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh +new file mode 100644 +index 00000000000..14da92218dc +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++correct_value="-oMACs=${sshd_approved_macs}" ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++# Proceed when file exists ++if [[ -f $configfile ]]; then ++ sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile ++else ++ echo "${correct_value}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh +new file mode 100644 +index 00000000000..3dde1479296 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++ ++echo "" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh +new file mode 100644 +index 00000000000..a50a0fc02bf +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile ++else ++ echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh +new file mode 100644 +index 00000000000..11e596ced87 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++# If file exists, remove it ++test -f $configfile && rm -f $configfile +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 6372d13cfc9..28b47cca487 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -50,6 +50,7 @@ selections: + - var_password_pam_retry=3 + - var_password_pam_minlen=15 + - var_sshd_set_keepalive=0 ++ - sshd_approved_macs=stig + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 +@@ -174,11 +175,17 @@ selections: + # RHEL-08-010260 + - file_groupowner_var_log + ++ # *** SHARED *** # + # RHEL-08-010290 && RHEL-08-010291 +- ### NOTE: This will get split out in future STIG releases, as well as we will break +- ### these rules up to be more flexible in meeting the requirements. ++ # *** SHARED *** # + - configure_ssh_crypto_policy + ++ # RHEL-08-010290 ++ - harden_sshd_macs_openssh_conf_crypto_policy ++ - harden_sshd_macs_opensshserver_conf_crypto_policy ++ ++ # RHEL-08-010291 ++ + # RHEL-08-010292 + - sshd_use_strong_rng + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 24e81491683..036d34cea1d 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -10,7 +10,6 @@ CCE-85866-2 + CCE-85867-0 + CCE-85868-8 + CCE-85869-6 +-CCE-85870-4 + CCE-85872-0 + CCE-85873-8 + CCE-85874-6 +@@ -36,7 +35,6 @@ CCE-85895-1 + CCE-85896-9 + CCE-85897-7 + CCE-85898-5 +-CCE-85899-3 + CCE-85900-9 + CCE-85901-7 + CCE-85902-5 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 32f1a24a7a4..393051a34ea 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -145,6 +145,8 @@ selections: + - grub2_uefi_admin_username + - grub2_uefi_password + - grub2_vsyscall_argument ++- harden_sshd_macs_openssh_conf_crypto_policy ++- harden_sshd_macs_opensshserver_conf_crypto_policy + - install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab +@@ -325,6 +327,7 @@ selections: + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 + - var_sshd_set_keepalive=0 ++- sshd_approved_macs=stig + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index d6a27c67dc0..de82fb34518 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -156,6 +156,8 @@ selections: + - grub2_uefi_admin_username + - grub2_uefi_password + - grub2_vsyscall_argument ++- harden_sshd_macs_openssh_conf_crypto_policy ++- harden_sshd_macs_opensshserver_conf_crypto_policy + - install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab +@@ -335,6 +337,7 @@ selections: + - var_password_pam_lcredit=1 + - var_password_pam_retry=3 + - var_sshd_set_keepalive=0 ++- sshd_approved_macs=stig + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch new file mode 100644 index 0000000..13149fd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch @@ -0,0 +1,1057 @@ +From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Tue, 29 Jun 2021 14:00:14 -0400 +Subject: [PATCH 1/5] New rules for RHEL-08-010291 + +--- + .../services/ssh/sshd_approved_ciphers.var | 2 +- + .../ansible/shared.yml | 16 +++++ + .../bash/shared.sh | 13 ++++ + .../oval/shared.xml | 35 +++++++++++ + .../rule.yml | 62 +++++++++++++++++++ + .../tests/stig_correct.pass.sh | 15 +++++ + .../tests/stig_correct_commented.fail.sh | 15 +++++ + ...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++ + .../tests/stig_empty_file.fail.sh | 10 +++ + .../tests/stig_empty_policy.fail.sh | 14 +++++ + ...rect_followed_by_correct_commented.fail.sh | 19 ++++++ + .../tests/stig_incorrect_policy.fail.sh | 15 +++++ + .../tests/stig_missing_file.fail.sh | 11 ++++ + .../ansible/shared.yml | 45 ++++++++++++++ + .../bash/shared.sh | 25 ++++++++ + .../oval/shared.xml | 35 +++++++++++ + .../rule.yml | 62 +++++++++++++++++++ + .../tests/rhel8_stig_correct.pass.sh | 17 +++++ + .../tests/rhel8_stig_empty_policy.fail.sh | 7 +++ + .../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++ + .../tests/rhel8_stig_missing_file.fail.sh | 11 ++++ + products/rhel8/profiles/stig.profile | 6 ++ + .../data/profile_stability/rhel8/stig.profile | 3 + + .../profile_stability/rhel8/stig_gui.profile | 3 + + 24 files changed, 472 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh + +diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +index 46891daa619..a240bbbfaef 100644 +--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var ++++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +@@ -11,6 +11,6 @@ operator: equals + interactive: false + + options: +- stig: aes128-ctr,aes192-ctr,aes256-ctr ++ stig: aes256-ctr,aes192-ctr,aes128-ctr + default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se + cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml +new file mode 100644 +index 00000000000..badb5896cf2 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml +@@ -0,0 +1,16 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} ++ ++{{{ ansible_set_config_file( ++ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config', ++ file='/etc/crypto-policies/back-ends/openssh.config', ++ parameter='Ciphers', ++ value="{{ sshd_approved_ciphers }}", ++ create='yes', ++ prefix_regex='^.*' ++ ) ++}}} +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh +new file mode 100644 +index 00000000000..cdc66a8aac6 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh +@@ -0,0 +1,13 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++. /usr/share/scap-security-guide/remediation_functions ++{{{ bash_instantiate_variables("sshd_approved_ciphers") }}} ++ ++{{{ set_config_file( ++ path="/etc/crypto-policies/back-ends/openssh.config", ++ parameter="Ciphers", ++ value="${sshd_approved_ciphers}", ++ create=true, ++ insensitive=false, ++ prefix_regex="^.*" ++ ) ++}}} +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml +new file mode 100644 +index 00000000000..1879e77398b +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml +@@ -0,0 +1,35 @@ ++{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}} ++ ++ ++ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ PATH }}} ++ ^Ciphers.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ Ciphers ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +new file mode 100644 +index 00000000000..cd1553dbdb3 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +@@ -0,0 +1,62 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config' ++ ++description: |- ++ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. ++ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be ++ set up incorrectly. ++ ++ To check that Crypto Policies settings for ciphers are configured correctly, ensure that ++ /etc/crypto-policies/back-ends/openssh.config contains the following ++ line and is not commented out: ++
      Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
      ++ ++rationale: |- ++ Overriding the system crypto policy makes the behavior of the OpenSSH daemon ++ violate expectations, and makes system configuration more fragmented. By ++ specifying a cipher list with the order of ciphers being in a “strongest to ++ weakest” orientation, the system will automatically attempt to use the ++ strongest cipher for securing SSH connections. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85870-4 ++ ++references: ++ nist: AC-17(2) ++ srg: SRG-OS-000250-GPOS-00093 ++ disa: CCI-001453 ++ stigid@rhel8: RHEL-08-010291 ++ ++ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' ++ ++ocil: |- ++ To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run: ++
      $ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
      ++ and verify that the line matches: ++
      Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
      ++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ System Crypto Modules must be provided by a vendor that undergoes ++ FIPS-140 certifications. ++ FIPS-140 is applicable to all Federal agencies that use ++ cryptographic-based security systems to protect sensitive information ++ in computer and telecommunication systems (including voice systems) as ++ defined in Section 5131 of the Information Technology Management Reform ++ Act of 1996, Public Law 104-106. This standard shall be used in ++ designing and implementing cryptographic modules that Federal ++ departments and agencies operate or are operated for them under ++ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} ++ To meet this, the system has to have cryptographic software provided by ++ a vendor that has undergone this certification. This means providing ++ documentation, test results, design information, and independent third ++ party review by an accredited lab. While open source software is ++ capable of meeting this, it does not meet FIPS-140 unless the vendor ++ submits to this process. +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh +new file mode 100644 +index 00000000000..0a27a7e0984 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile ++else ++ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh +new file mode 100644 +index 00000000000..5cadd95ba38 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile ++else ++ echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh +new file mode 100644 +index 00000000000..26220063757 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile ++else ++ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile" ++fi ++ ++# follow up with incorrect ++echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh +new file mode 100644 +index 00000000000..55ef3f58422 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++echo "" > $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh +new file mode 100644 +index 00000000000..7105441ad80 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile ++else ++ echo "Ciphers " > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +new file mode 100644 +index 00000000000..195f5e8d8ed +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr ++incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile ++else ++ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile" ++fi ++ ++# follow up with correct value ++echo "Ciphers ${sshd_approved_ciphers}" >> $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh +new file mode 100644 +index 00000000000..92bd4ed9c5a +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile ++else ++ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh +new file mode 100644 +index 00000000000..2138caad319 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/openssh.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++# If file exists, remove it ++test -f $configfile && rm -f $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml +new file mode 100644 +index 00000000000..7532ba51639 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml +@@ -0,0 +1,45 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} ++ ++- name: "{{{ rule_title }}}: Set facts" ++ set_fact: ++ path: /etc/crypto-policies/back-ends/opensshserver.config ++ correct_value: "-oCiphers={{ sshd_approved_ciphers }}" ++ ++- name: "{{{ rule_title }}}: Stat" ++ stat: ++ path: "{{ path }}" ++ follow: yes ++ register: opensshserver_file ++ ++- name: "{{{ rule_title }}}: Create" ++ lineinfile: ++ path: "{{ path }}" ++ line: "{{ correct_value }}" ++ create: yes ++ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length ++ ++- name: "{{{ rule_title }}}" ++ block: ++ - name: "Existing value check" ++ lineinfile: ++ path: "{{ path }}" ++ create: false ++ regexp: "{{ correct_value }}" ++ state: absent ++ check_mode: true ++ changed_when: false ++ register: opensshserver ++ ++ - name: "Update/Correct value" ++ replace: ++ path: "{{ path }}" ++ regexp: (-oCiphers=\S+) ++ replace: "{{ correct_value }}" ++ when: opensshserver.found is defined and opensshserver.found != 1 ++ ++ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh +new file mode 100644 +index 00000000000..1bc022f93b6 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh +@@ -0,0 +1,25 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++. /usr/share/scap-security-guide/remediation_functions ++{{{ bash_instantiate_variables("sshd_approved_ciphers") }}} ++ ++CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config ++correct_value="-oCiphers=${sshd_approved_ciphers}" ++ ++grep -q ${correct_value} ${CONF_FILE} ++ ++if [[ $? -ne 0 ]]; then ++ # We need to get the existing value, using PCRE to maintain same regex ++ existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) ++ ++ if [[ ! -z ${existing_value} ]]; then ++ # replace existing_value with correct_value ++ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} ++ else ++ # ***NOTE*** # ++ # This probably means this file is not here or it's been modified ++ # unintentionally. ++ # ********** # ++ # echo correct_value to end ++ echo ${correct_value} >> ${CONF_FILE} ++ fi ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +new file mode 100644 +index 00000000000..92ad7ce3d3f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +@@ -0,0 +1,35 @@ ++{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}} ++ ++ ++ {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ PATH }}} ++ ^.*(-oCiphers=\S+).*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ -oCiphers= ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +new file mode 100644 +index 00000000000..877c6f38db0 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +@@ -0,0 +1,62 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config' ++ ++description: |- ++ Crypto Policies provide a centralized control over crypto algorithms usage of many packages. ++ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be ++ set up incorrectly. ++ ++ To check that Crypto Policies settings for ciphers are configured correctly, ensure that ++ /etc/crypto-policies/back-ends/opensshserver.config contains the following ++ text and is not commented out: ++
      -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
      ++ ++rationale: |- ++ Overriding the system crypto policy makes the behavior of the OpenSSH daemon ++ violate expectations, and makes system configuration more fragmented. By ++ specifying a cipher list with the order of ciphers being in a “strongest to ++ weakest” orientation, the system will automatically attempt to use the ++ strongest cipher for securing SSH connections. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85871-2 ++ ++references: ++ nist: AC-17(2) ++ srg: SRG-OS-000250-GPOS-00093 ++ disa: CCI-001453 ++ stigid@rhel8: RHEL-08-010290 ++ ++ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' ++ ++ocil: |- ++ To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run: ++
      $ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
      ++ and verify that the line matches: ++
      -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
      ++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ System Crypto Modules must be provided by a vendor that undergoes ++ FIPS-140 certifications. ++ FIPS-140 is applicable to all Federal agencies that use ++ cryptographic-based security systems to protect sensitive information ++ in computer and telecommunication systems (including voice systems) as ++ defined in Section 5131 of the Information Technology Management Reform ++ Act of 1996, Public Law 104-106. This standard shall be used in ++ designing and implementing cryptographic modules that Federal ++ departments and agencies operate or are operated for them under ++ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} ++ To meet this, the system has to have cryptographic software provided by ++ a vendor that has undergone this certification. This means providing ++ documentation, test results, design information, and independent third ++ party review by an accredited lab. While open source software is ++ capable of meeting this, it does not meet FIPS-140 unless the vendor ++ submits to this process. +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh +new file mode 100644 +index 00000000000..1a8911d523c +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++correct_value="-oCiphers=${sshd_approved_ciphers}" ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++# Proceed when file exists ++if [[ -f $configfile ]]; then ++ sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile ++else ++ echo "${correct_value}" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh +new file mode 100644 +index 00000000000..3dde1479296 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++ ++echo "" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh +new file mode 100644 +index 00000000000..f97f54db502 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++if [[ -f $configfile ]]; then ++ sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile ++else ++ echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile" ++fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh +new file mode 100644 +index 00000000000..11e596ced87 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++configfile=/etc/crypto-policies/back-ends/opensshserver.config ++ ++# Ensure directory + file is there ++test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends ++ ++# If file exists, remove it ++test -f $configfile && rm -f $configfile +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 28b47cca487..a3783efafd6 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -50,7 +50,11 @@ selections: + - var_password_pam_retry=3 + - var_password_pam_minlen=15 + - var_sshd_set_keepalive=0 ++<<<<<<< HEAD + - sshd_approved_macs=stig ++======= ++ - sshd_approved_ciphers=stig ++>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291) + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 +@@ -185,6 +189,8 @@ selections: + - harden_sshd_macs_opensshserver_conf_crypto_policy + + # RHEL-08-010291 ++ - harden_sshd_ciphers_openssh_conf_crypto_policy ++ - harden_sshd_ciphers_opensshserver_conf_crypto_policy + + # RHEL-08-010292 + - sshd_use_strong_rng +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 393051a34ea..05335cc38fb 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -147,6 +147,8 @@ selections: + - grub2_vsyscall_argument + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy ++- harden_sshd_ciphers_openssh_conf_crypto_policy ++- harden_sshd_ciphers_opensshserver_conf_crypto_policy + - install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab +@@ -328,6 +330,7 @@ selections: + - var_password_pam_retry=3 + - var_sshd_set_keepalive=0 + - sshd_approved_macs=stig ++- sshd_approved_ciphers=stig + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index de82fb34518..a0adc835a0d 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -158,6 +158,8 @@ selections: + - grub2_vsyscall_argument + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy ++- harden_sshd_ciphers_openssh_conf_crypto_policy ++- harden_sshd_ciphers_opensshserver_conf_crypto_policy + - install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab +@@ -338,6 +340,7 @@ selections: + - var_password_pam_retry=3 + - var_sshd_set_keepalive=0 + - sshd_approved_macs=stig ++- sshd_approved_ciphers=stig + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + +From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Tue, 29 Jun 2021 14:04:49 -0400 +Subject: [PATCH 2/5] replaced MACs with Ciphers + +--- + .../ansible/shared.yml | 2 +- + .../oval/shared.xml | 2 +- + .../oval/shared.xml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml +index badb5896cf2..956a19f3025 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml +@@ -6,7 +6,7 @@ + {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} + + {{{ ansible_set_config_file( +- msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config', ++ msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config', + file='/etc/crypto-policies/back-ends/openssh.config', + parameter='Ciphers', + value="{{ sshd_approved_ciphers }}", +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml +index 1879e77398b..9b3b4f1995d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml +@@ -1,7 +1,7 @@ + {{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}} + + +- {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} ++ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}} + + + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +index 92ad7ce3d3f..3afbc1619a4 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +@@ -1,7 +1,7 @@ + {{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}} + + +- {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}} ++ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}} + + + + +From 26383895dfffc5e643295301c052ccd3d77cb906 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Mon, 19 Jul 2021 09:33:38 -0400 +Subject: [PATCH 3/5] Fixed issue with oval not checking for commented out + line, and updated remediations + +--- + .../rule.yml | 8 ++++---- + .../ansible/shared.yml | 2 +- + .../bash/shared.sh | 10 ++++++++-- + .../oval/shared.xml | 2 +- + .../rule.yml | 6 +++--- + 5 files changed, 17 insertions(+), 11 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +index cd1553dbdb3..d626ec6e260 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: fedora,rhel8 + +-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config' ++title: 'Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config' + + description: |- + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +@@ -15,7 +15,7 @@ description: |- +
      Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
      + + rationale: |- +- Overriding the system crypto policy makes the behavior of the OpenSSH daemon ++ Overriding the system crypto policy makes the behavior of the OpenSSH client + violate expectations, and makes system configuration more fragmented. By + specifying a cipher list with the order of ciphers being in a “strongest to + weakest” orientation, the system will automatically attempt to use the +@@ -32,10 +32,10 @@ references: + disa: CCI-001453 + stigid@rhel8: RHEL-08-010291 + +-ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' ++ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' + + ocil: |- +- To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run: ++ To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run: +
      $ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
      + and verify that the line matches: +
      Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
      +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml +index 7532ba51639..3e637f37e69 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml +@@ -19,7 +19,7 @@ + - name: "{{{ rule_title }}}: Create" + lineinfile: + path: "{{ path }}" +- line: "{{ correct_value }}" ++ line: "CRYPTO_POLICY='{{ correct_value }}'" + create: yes + when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh +index 1bc022f93b6..eaa4463caad 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh +@@ -5,7 +5,13 @@ + CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config + correct_value="-oCiphers=${sshd_approved_ciphers}" + +-grep -q ${correct_value} ${CONF_FILE} ++# Test if file exists ++test -f ${CONF_FILE} || touch ${CONF_FILE} ++ ++# Ensure CRYPTO_POLICY is not commented out ++sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} ++ ++grep -q "'${correct_value}'" ${CONF_FILE} + + if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex +@@ -20,6 +26,6 @@ if [[ $? -ne 0 ]]; then + # unintentionally. + # ********** # + # echo correct_value to end +- echo ${correct_value} >> ${CONF_FILE} ++ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} + fi + fi +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +index 3afbc1619a4..53919eaae7f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +@@ -16,7 +16,7 @@ + + + {{{ PATH }}} +- ^.*(-oCiphers=\S+).*$ ++ ^(?!#).*(-oCiphers=\S+).*$ + 1 + + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +index 877c6f38db0..0aac8e2038d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: rhel8 + +-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config' ++title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config' + + description: |- + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +@@ -15,7 +15,7 @@ description: |- +
      -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
      + + rationale: |- +- Overriding the system crypto policy makes the behavior of the OpenSSH daemon ++ Overriding the system crypto policy makes the behavior of the OpenSSH server + violate expectations, and makes system configuration more fragmented. By + specifying a cipher list with the order of ciphers being in a “strongest to + weakest” orientation, the system will automatically attempt to use the +@@ -35,7 +35,7 @@ references: + ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' + + ocil: |- +- To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run: ++ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: +
      $ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
      + and verify that the line matches: +
      -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
      + +From 7967125f58de7e6843002d674fab90c4429452f3 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Mon, 19 Jul 2021 09:53:28 -0400 +Subject: [PATCH 4/5] Replace MACs verbiage with ciphers + +--- + .../rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +index 0aac8e2038d..81ee763831d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: rhel8 + +-title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config' ++title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config' + + description: |- + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +@@ -35,7 +35,7 @@ references: + ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' + + ocil: |- +- To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: ++ To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run: +
      $ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
      + and verify that the line matches: +
      -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
      + +From ab21f2d59db725f07b70e3e748ebc96c34e23b79 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Tue, 20 Jul 2021 09:01:50 -0400 +Subject: [PATCH 5/5] Sorted refs, updated test scenario, fixed duplicate CCE + +--- + .../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 4 ++-- + .../stig_incorrect_followed_by_correct_commented.fail.sh | 2 +- + .../rule.yml | 4 ++-- + products/rhel8/profiles/stig.profile | 3 --- + shared/references/cce-redhat-avail.txt | 2 -- + tests/data/profile_stability/rhel8/stig.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- + 7 files changed, 9 insertions(+), 14 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +index d626ec6e260..0aa310d9245 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +@@ -24,12 +24,12 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel8: CCE-85870-4 ++ cce@rhel8: CCE-85902-5 + + references: ++ disa: CCI-001453 + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 +- disa: CCI-001453 + stigid@rhel8: RHEL-08-010291 + + ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +index 195f5e8d8ed..6ad1f4fd0f3 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +@@ -16,4 +16,4 @@ else + fi + + # follow up with correct value +-echo "Ciphers ${sshd_approved_ciphers}" >> $configfile ++echo "#Ciphers ${sshd_approved_ciphers}" >> $configfile +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +index 81ee763831d..b56f2421f22 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +@@ -24,12 +24,12 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel8: CCE-85871-2 ++ cce@rhel8: CCE-85897-7 + + references: ++ disa: CCI-001453 + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 +- disa: CCI-001453 + stigid@rhel8: RHEL-08-010290 + + ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index a3783efafd6..7270a8f91f2 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -50,11 +50,8 @@ selections: + - var_password_pam_retry=3 + - var_password_pam_minlen=15 + - var_sshd_set_keepalive=0 +-<<<<<<< HEAD + - sshd_approved_macs=stig +-======= + - sshd_approved_ciphers=stig +->>>>>>> 4d62df6b2 (New rules for RHEL-08-010291) + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 036d34cea1d..665f903ead4 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -33,11 +33,9 @@ CCE-85892-8 + CCE-85893-6 + CCE-85895-1 + CCE-85896-9 +-CCE-85897-7 + CCE-85898-5 + CCE-85900-9 + CCE-85901-7 +-CCE-85902-5 + CCE-85903-3 + CCE-85904-1 + CCE-85905-8 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 05335cc38fb..7d59cfff625 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -145,10 +145,10 @@ selections: + - grub2_uefi_admin_username + - grub2_uefi_password + - grub2_vsyscall_argument +-- harden_sshd_macs_openssh_conf_crypto_policy +-- harden_sshd_macs_opensshserver_conf_crypto_policy + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy ++- harden_sshd_macs_openssh_conf_crypto_policy ++- harden_sshd_macs_opensshserver_conf_crypto_policy + - install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index a0adc835a0d..2c2daad6f6d 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -156,10 +156,10 @@ selections: + - grub2_uefi_admin_username + - grub2_uefi_password + - grub2_vsyscall_argument +-- harden_sshd_macs_openssh_conf_crypto_policy +-- harden_sshd_macs_opensshserver_conf_crypto_policy + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy ++- harden_sshd_macs_openssh_conf_crypto_policy ++- harden_sshd_macs_opensshserver_conf_crypto_policy + - install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab diff --git a/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch new file mode 100644 index 0000000..1d46ab4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch @@ -0,0 +1,546 @@ +From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Mon, 12 Jul 2021 10:06:41 -0400 +Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule + +--- + .../ansible/shared.yml | 2 +- + .../bash/shared.sh | 2 +- + .../oval/shared.xml | 44 +++++++++++++------ + .../rule.yml | 26 ++++++----- + .../tests/correct_group.pass.sh | 2 +- + .../tests/incorrect_group.fail.sh | 8 +++- + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 10 files changed, 57 insertions(+), 31 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +index f90c8e26b15..e0bb6b0dc1a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_sle ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + # reboot = false + # strategy = restrict + # complexity = high +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh +index fba25be6132..d5fb89487d5 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = multi_platform_sle ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + + find /lib \ + /lib64 \ +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +index 00f733ddc78..e3d64a8390e 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +@@ -1,27 +1,45 @@ + +- ++ + {{{ oval_metadata(" +- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64 +- are owned by root. ++ Checks that /lib, /lib64, /usr/lib, /usr/lib64, and ++ objects therein, are group-owned by root. + ") }}} +- +- ++ ++ ++ + + + +- +- ++ ++ + + +- +- +- ^\/lib(64)?|^\/usr\/lib(64)? ++ ++ ++ ++ ++ ++ ++ ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ ++ ++ state_group_ownership_libraries_not_root ++ group_dir_perms_state_symlink ++ ++ ++ ++ ++ ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ + ^.*$ +- group_permissions_for_system_wide_files_are_not_root ++ state_group_ownership_libraries_not_root ++ group_dir_perms_state_symlink + + +- ++ + 0 + ++ ++ ++ symbolic link ++ ++ + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +index ff905dd08d..83371b8b9b 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: sle12,sle15 ++prodtype: sle12,sle15,rhel8,fedora + + title: |- + Verify the system-wide library files in directories +@@ -17,18 +17,18 @@ description: |- + All system-wide shared library files should be protected from unauthorised + access. If any of these files is not owned by root, correct its owner with + the following command: +-
      $ sudo chgrp root DIR
      ++
      $ sudo chgrp root FILE
      + + rationale: |- +- If the operating system were to allow any user to make changes to software libraries, +- then those changes might be implemented without undergoing the appropriate testing and +- approvals that are part of a robust change management process. ++ If the operating system were to allow any user to make changes to software libraries, ++ then those changes might be implemented without undergoing the appropriate testing and ++ approvals that are part of a robust change management process. + +- This requirement applies to operating systems with software libraries that are +- accessible and configurable, as in the case of interpreted languages. Software libraries +- also include privileged programs which execute with escalated privileges. Only qualified +- and authorized individuals must be allowed to obtain access to information system components +- for purposes of initiating changes, including upgrades and modifications. ++ This requirement applies to operating systems with software libraries that are ++ accessible and configurable, as in the case of interpreted languages. Software libraries ++ also include privileged programs which execute with escalated privileges. Only qualified ++ and authorized individuals must be allowed to obtain access to information system components ++ for purposes of initiating changes, including upgrades and modifications. + + severity: medium + +@@ -45,7 +45,7 @@ references: + stigid@sle12: SLES-12-010875 + stigid@sle15: SLES-15-010355 + +-ocil_clause: 'any system wide library directory is returned' ++ocil_clause: 'system wide library files are not group owned by root' + + ocil: |- + System-wide library files are stored in the following directories: +@@ -54,6 +54,6 @@ ocil: |- + /usr/lib + /usr/lib64 + +- To find if system-wide library files stored in these directories are group-owned by ++ To find if system-wide library files stored in these directories are not group-owned by + root run the following command for each directory DIR: +
      $ sudo find -L DIR ! -group root -type f 
      +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +index 7a8e65b4f3a..8722c2add65 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +@@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 + do + if [[ -d $SYSLIBDIRS ]] + then +- find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \; ++ find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \; + fi + done +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +index a4b99a9da14..1079046d14e 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +@@ -1,6 +1,10 @@ + #!/bin/bash +- +-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me ++ ++# There is a high probability that there will be nested subdirectories within the ++# shared system library directories, therefore we should test to make sure we ++# cover this. - cmm ++test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir ++for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me + do + if [[ ! -f $TESTFILE ]] + then +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 2508008d511..9569b2ad629 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -207,6 +207,7 @@ selections: + - file_ownership_library_dirs + + # RHEL-08-010350 ++ - root_permissions_syslibrary_files + + # RHEL-08-010360 + - package_aide_installed +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index f139d2ed76f..e0eb5ac045c 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -662,7 +662,6 @@ CCE-86518-8 + CCE-86520-4 + CCE-86521-2 + CCE-86522-0 +-CCE-86523-8 + CCE-86524-6 + CCE-86525-3 + CCE-86526-1 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 765487c6f16..ebe7a91f45d 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -221,6 +221,7 @@ selections: + - postfix_client_configure_mail_alias + - require_emergency_target_auth + - require_singleuser_auth ++- root_permissions_syslibrary_files + - rsyslog_cron_logging + - rsyslog_remote_access_monitoring + - rsyslog_remote_loghost +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 9fd80aac727..97f940dc9ed 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -232,6 +232,7 @@ selections: + - postfix_client_configure_mail_alias + - require_emergency_target_auth + - require_singleuser_auth ++- root_permissions_syslibrary_files + - rsyslog_cron_logging + - rsyslog_remote_access_monitoring + - rsyslog_remote_loghost + +From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Mon, 12 Jul 2021 16:17:23 -0400 +Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs + +--- + .../ansible/shared.yml | 6 ++- + .../bash/shared.sh | 7 +++ + .../dir_group_ownership_library_dirs/rule.yml | 4 ++ + .../tests/all_dirs_ok.pass.sh | 3 +- + .../nobody_group_owned_dir_on_lib.fail.sh | 3 +- + .../ansible/shared.yml | 23 ++++++++-- + .../oval/shared.xml | 44 ++++++------------- + .../tests/correct_group.pass.sh | 4 +- + .../tests/incorrect_group.fail.sh | 8 +--- + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 13 files changed, 59 insertions(+), 47 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml +index 80562991ac5..f6f2ab48afd 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_sle ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + # reboot = false + # strategy = restrict + # complexity = medium +@@ -20,4 +20,6 @@ + state: "directory" + mode: "{{ item.mode }}" + with_items: "{{ library_dirs_not_group_owned_by_root.files }}" +- when: library_dirs_not_group_owned_by_root.matched > 0 ++ when: ++ - library_dirs_not_group_owned_by_root.matched > 0 ++ - item.gid != 0 +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh +new file mode 100644 +index 00000000000..365b9833188 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora ++ ++find /lib \ ++/lib64 \ ++/usr/lib \ ++/usr/lib64 \ ++\! -group root -type d -exec chgrp root '{}' \; +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +index 4ff043270c8..cd02d95cb1c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +@@ -1,5 +1,7 @@ + documentation_complete: true + ++prodtype: sle12,sle15,rhel8,fedora ++ + title: 'Verify that Shared Library Directories Have Root Group Ownership' + + description: |- +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh +index 2a38e9a88bc..50fdb17bd2e 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh +@@ -1,4 +1,5 @@ +-# platform = multi_platform_sle ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora ++ + DIRS="/lib /lib64 /usr/lib /usr/lib64" + for dirPath in $DIRS; do + find "$dirPath" -type d -exec chgrp root '{}' \; +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh +index f794d9e878f..277bd7d60de 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh +@@ -1,4 +1,5 @@ +-# platform = multi_platform_sle ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora ++ + DIRS="/lib /lib64" + for dirPath in $DIRS; do + mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme" +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +index e0bb6b0dc1a..ab3e85c4f7c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +@@ -4,7 +4,24 @@ + # complexity = high + # disruption = medium + +-- name: "Set ownership to root of system-wide library files" +- command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;" +- with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ] ++- name: "Read list libraries without root ownership" ++ find: ++ paths: ++ - "/usr/lib" ++ - "/usr/lib64" ++ - "/lib" ++ - "/lib64" ++ file_type: "file" ++ register: library_files_not_group_owned_by_root ++ ++- name: "Set group ownership of system library files to root" ++ file: ++ path: "{{ item.path }}" ++ group: "root" ++ state: "file" ++ mode: "{{ item.mode }}" ++ with_items: "{{ library_files_not_group_owned_by_root.files }}" ++ when: ++ - library_files_not_group_owned_by_root.matched > 0 ++ - item.gid != 0 + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +index e3d64a8390e..926ff70d1e4 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +@@ -1,45 +1,27 @@ + +- ++ + {{{ oval_metadata(" +- Checks that /lib, /lib64, /usr/lib, /usr/lib64, and +- objects therein, are group-owned by root. ++ Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64 ++ are owned by root. + ") }}} +- +- +- ++ ++ + + + +- +- ++ ++ + + +- +- +- +- +- +- +- ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ +- +- state_group_ownership_libraries_not_root +- group_dir_perms_state_symlink +- +- +- +- +- ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ ++ ++ ++ ^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/ + ^.*$ +- state_group_ownership_libraries_not_root +- group_dir_perms_state_symlink ++ group_permissions_for_system_wide_files_are_not_root + + +- ++ + 0 + +- +- +- symbolic link +- +- + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +index 8722c2add65..a4ae2854db1 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +@@ -1,9 +1,9 @@ +-#!/bin/bash ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + + for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 + do + if [[ -d $SYSLIBDIRS ]] + then +- find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \; ++ find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \; + fi + done +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +index 1079046d14e..c96f65b989c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +@@ -1,10 +1,6 @@ +-#!/bin/bash ++# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + +-# There is a high probability that there will be nested subdirectories within the +-# shared system library directories, therefore we should test to make sure we +-# cover this. - cmm +-test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir +-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me ++for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me + do + if [[ ! -f $TESTFILE ]] + then +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 9569b2ad629..059750f59d0 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -208,6 +208,7 @@ selections: + + # RHEL-08-010350 + - root_permissions_syslibrary_files ++ - dir_group_ownership_library_dirs + + # RHEL-08-010360 + - package_aide_installed +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index e0eb5ac045c..ae3375fd4d4 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -34,7 +34,6 @@ CCE-85890-2 + CCE-85891-0 + CCE-85892-8 + CCE-85893-6 +-CCE-85894-4 + CCE-85895-1 + CCE-85896-9 + CCE-85897-7 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index ebe7a91f45d..49cce4d81cc 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -99,6 +99,7 @@ selections: + - dconf_gnome_login_banner_text + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled ++- dir_group_ownership_library_dirs + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + - directory_permissions_var_log_audit +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 97f940dc9ed..943a57d3eb8 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -110,6 +110,7 @@ selections: + - dconf_gnome_login_banner_text + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled ++- dir_group_ownership_library_dirs + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + - directory_permissions_var_log_audit + +From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Tue, 13 Jul 2021 13:40:25 -0400 +Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule + +--- + .../tests/nobody_group_owned_dir_on_lib.fail.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh +index 277bd7d60de..043ad6b2dee 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + +-DIRS="/lib /lib64" ++DIRS="/lib /lib64 /usr/lib /usr/lib64" + for dirPath in $DIRS; do +- mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme" ++ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme" + done + +From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Wed, 14 Jul 2021 10:04:25 -0400 +Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly + match dirs + +--- + .../root_permissions_syslibrary_files/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +index 926ff70d1e4..f5ca9380b55 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +@@ -16,7 +16,7 @@ + + +- ^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/ ++ ^\/lib(|64)?$|^\/usr\/lib(|64)?$ + ^.*$ + group_permissions_for_system_wide_files_are_not_root + diff --git a/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch new file mode 100644 index 0000000..eef1f38 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch @@ -0,0 +1,120 @@ +From eed29b1db9dd62d014842340abb8601570fe6655 Mon Sep 17 00:00:00 2001 +From: Carlos Matos +Date: Thu, 22 Jul 2021 14:26:49 -0400 +Subject: [PATCH] New rule for RHEL-08-020270 + +--- + .../account_emergency_expire_date/rule.yml | 52 +++++++++++++++++++ + products/rhel8/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + .../data/profile_stability/rhel8/stig.profile | 1 + + .../profile_stability/rhel8/stig_gui.profile | 1 + + 5 files changed, 55 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml +new file mode 100644 +index 0000000000..a47c7f39bc +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Assign Expiration Date to Emergency Accounts' ++ ++description: |- ++ Emergency accounts are privileged accounts established in response to ++ crisis situations where the need for rapid account activation is required. ++ In the event emergency accounts are required, configure the system to ++ terminate them after a documented time period. For every emergency account, ++ run the following command to set an expiration date on it, substituting ++ ACCOUNT_NAME and YYYY-MM-DD ++ appropriately: ++
      $ sudo chage -E YYYY-MM-DD ACCOUNT_NAME
      ++ YYYY-MM-DD indicates the documented expiration date for the ++ account. For U.S. Government systems, the operating system must be ++ configured to automatically terminate these types of accounts after a ++ period of 72 hours. ++ ++rationale: |- ++ If emergency user accounts remain active when no longer needed or for ++ an excessive period, these accounts may be used to gain unauthorized access. ++ To mitigate this risk, automated termination of all emergency accounts ++ must be set upon account creation. ++
      ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-85910-8 ++ ++references: ++ cis-csc: 1,12,13,14,15,16,18,3,5,7,8 ++ cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03 ++ disa: CCI-000016,CCI-001682 ++ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 ++ isa-62443-2013: 'SR 1.1,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2' ++ iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 ++ nist: AC-2(2),AC-2(3),CM-6(a) ++ nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6 ++ srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002 ++ stigid@rhel8: RHEL-08-020270 ++ vmmsrg: SRG-OS-000002-VMM-000020,SRG-OS-000123-VMM-000620 ++ ++ocil_clause: 'any emergency accounts have no expiration date set or do not expire within a documented time frame' ++ ++ocil: |- ++ For every emergency account, run the following command ++ to obtain its account aging and expiration information: ++
      $ sudo chage -l ACCOUNT_NAME
      ++ Verify each of these accounts has an expiration date set as documented. +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 7270a8f91f..c4b9d02af5 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -558,6 +558,7 @@ selections: + - account_disable_post_pw_expiration + + # RHEL-08-020270 ++ - account_emergency_expire_date + + # RHEL-08-020280 + - accounts_password_pam_ocredit +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 665f903ead..f500179292 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -43,7 +43,6 @@ CCE-85906-6 + CCE-85907-4 + CCE-85908-2 + CCE-85909-0 +-CCE-85910-8 + CCE-85911-6 + CCE-85912-4 + CCE-85913-2 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 7d59cfff62..72e205b695 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -24,6 +24,7 @@ documentation_complete: true + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + selections: + - account_disable_post_pw_expiration ++- account_emergency_expire_date + - account_temp_expire_date + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 2c2daad6f6..cc21621617 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -35,6 +35,7 @@ documentation_complete: true + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + selections: + - account_disable_post_pw_expiration ++- account_emergency_expire_date + - account_temp_expire_date + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay diff --git a/SOURCES/scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch b/SOURCES/scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch new file mode 100644 index 0000000..4bd97db --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch @@ -0,0 +1,5348 @@ +From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 29 Jun 2021 14:37:28 +0100 +Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files + per-benchmark + +--- + products/rhel8/profiles/cis.profile | 1080 +---------------- + products/rhel8/profiles/cis_server_l1.profile | 22 + + .../rhel8/profiles/cis_workstation_l1.profile | 22 + + .../rhel8/profiles/cis_workstation_l2.profile | 22 + + 4 files changed, 72 insertions(+), 1074 deletions(-) + create mode 100644 products/rhel8/profiles/cis_server_l1.profile + create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile + create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile + +diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile +index c22ae86d076..4a00c24e0f7 100644 +--- a/products/rhel8/profiles/cis.profile ++++ b/products/rhel8/profiles/cis.profile +@@ -1,1090 +1,22 @@ + documentation_complete: true + + metadata: +- version: 1.0.0 ++ version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + + reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +-title: 'CIS Red Hat Enterprise Linux 8 Benchmark' ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server' + + description: |- +- This profile defines a baseline that aligns to the Center for Internet Security® +- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ This profile defines a baseline that aligns to the "Level 2 - Server" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + + selections: +- # Necessary for dconf rules +- - dconf_db_up_to_date +- +- ### Partitioning +- - mount_option_home_nodev +- +- ## 1.1 Filesystem Configuration +- +- ### 1.1.1 Disable unused filesystems +- +- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) +- - kernel_module_cramfs_disabled +- +- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) +- +- +- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) +- - kernel_module_squashfs_disabled +- +- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) +- - kernel_module_udf_disabled +- +- ### 1.1.2 Ensure /tmp is configured (Scored) +- - partition_for_tmp +- +- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) +- - mount_option_tmp_nodev +- +- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) +- - mount_option_tmp_nosuid +- +- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) +- - mount_option_tmp_noexec +- +- ### 1.1.6 Ensure separate partition exists for /var (Scored) +- - partition_for_var +- +- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) +- - partition_for_var_tmp +- +- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nodev +- +- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nosuid +- +- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_noexec +- +- ### 1.1.11 Ensure separate partition exists for /var/log (Scored) +- - partition_for_var_log +- +- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) +- - partition_for_var_log_audit +- +- ### 1.1.13 Ensure separate partition exists for /home (Scored) +- - partition_for_home +- +- ### 1.1.14 Ensure nodev option set on /home partition (Scored) +- - mount_option_home_nodev +- +- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nodev +- +- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nosuid +- +- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_noexec +- +- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) +- - mount_option_nodev_removable_partitions +- +- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) +- - mount_option_nosuid_removable_partitions +- +- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) +- - mount_option_noexec_removable_partitions +- +- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) +- - dir_perms_world_writable_sticky_bits +- +- ### 1.1.22 Disable Automounting (Scored) +- - service_autofs_disabled +- +- ### 1.1.23 Disable USB Storage (Scored) +- - kernel_module_usb-storage_disabled +- +- ## 1.2 Configure Software Updates +- +- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 +- +- ### 1.2.2 Disable the rhnsd Daemon (Not Scored) +- - service_rhnsd_disabled +- +- ### 1.2.3 Ensure GPG keys are configured (Not Scored) +- - ensure_redhat_gpgkey_installed +- +- ### 1.2.4 Ensure gpgcheck is globally activated (Scored) +- - ensure_gpgcheck_globally_activated +- +- ### 1.2.5 Ensure package manager repositories are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 +- +- ## 1.3 Configure sudo +- +- ### 1.3.1 Ensure sudo is installed (Scored) +- - package_sudo_installed +- +- ### 1.3.2 Ensure sudo commands use pty (Scored) +- - sudo_add_use_pty +- +- ### 1.3.3 Ensure sudo log file exists (Scored) +- - sudo_custom_logfile +- +- ## 1.4 Filesystem Integrity Checking +- +- ### 1.4.1 Ensure AIDE is installed (Scored) +- - package_aide_installed +- +- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) +- - aide_periodic_cron_checking +- +- ## Secure Boot Settings +- +- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) +- #### chown root:root /boot/grub2/grub.cfg +- - file_owner_grub2_cfg +- - file_groupowner_grub2_cfg +- +- #### chmod og-rwx /boot/grub2/grub.cfg +- - file_permissions_grub2_cfg +- +- #### chown root:root /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- #### chmod og-rwx /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- ### 1.5.2 Ensure bootloader password is set (Scored) +- - grub2_password +- +- ### 1.5.3 Ensure authentication required for single user mode (Scored) +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- - require_singleuser_auth +- +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency +- - require_emergency_target_auth +- +- ## 1.6 Additional Process Hardening +- +- ### 1.6.1 Ensure core dumps are restricted (Scored) +- #### * hard core 0 +- - disable_users_coredumps +- +- #### fs.suid_dumpable = 0 +- - sysctl_fs_suid_dumpable +- +- #### ProcessSizeMax=0 +- - coredump_disable_backtraces +- +- #### Storage=none +- - coredump_disable_storage +- +- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled +- - sysctl_kernel_randomize_va_space +- +- ## 1.7 Mandatory Access Control +- +- ### 1.7.1 Configure SELinux +- +- #### 1.7.1.1 Ensure SELinux is installed (Scored) +- - package_libselinux_installed +- +- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) +- - grub2_enable_selinux +- +- #### 1.7.1.3 Ensure SELinux policy is configured (Scored) +- - var_selinux_policy_name=targeted +- - selinux_policytype +- +- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) +- - var_selinux_state=enforcing +- - selinux_state +- +- #### 1.7.1.5 Ensure no unconfied services exist (Scored) +- - selinux_confinement_of_daemons +- +- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) +- - package_setroubleshoot_removed +- +- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) +- - package_mcstrans_removed +- +- ## Warning Banners +- +- ### 1.8.1 Command Line Warning Baners +- +- #### 1.8.1.1 Ensure message of the day is configured properly (Scored) +- - banner_etc_motd +- +- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) +- - banner_etc_issue +- +- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 +- +- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) +- # chmod u-x,go-wx /etc/motd +- - file_permissions_etc_motd +- +- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) +- # chmod u-x,go-wx /etc/issue +- - file_permissions_etc_issue +- +- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) +- # Previously addressed via 'rpm_verify_permissions' rule +- +- ### 1.8.2 Ensure GDM login banner is configured (Scored) +- #### banner-message-enable=true +- - dconf_gnome_banner_enabled +- +- #### banner-message-text='' +- - dconf_gnome_login_banner_text +- +- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) +- - security_patches_up_to_date +- +- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) +- - var_system_crypto_policy=future +- - configure_crypto_policy +- +- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) +- # Previously addressed via 'configure_crypto_policy' rule +- +- # Services +- +- ## 2.1 inetd Services +- +- ### 2.1.1 Ensure xinetd is not installed (Scored) +- - package_xinetd_removed +- +- ## 2.2 Special Purpose Services +- +- ### 2.2.1 Time Synchronization +- +- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - package_chrony_installed +- +- #### 2.2.1.2 Ensure chrony is configured (Scored) +- - service_chronyd_enabled +- - chronyd_specify_remote_server +- - chronyd_run_as_chrony_user +- +- ### 2.2.2 Ensure X Window System is not installed (Scored) +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target +- +- ### 2.2.3 Ensure rsync service is not enabled (Scored) +- - service_rsyncd_disabled +- +- ### 2.2.4 Ensure Avahi Server is not enabled (Scored) +- - service_avahi-daemon_disabled +- +- ### 2.2.5 Ensure SNMP Server is not enabled (Scored) +- - service_snmpd_disabled +- +- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) +- - package_squid_removed +- +- ### 2.2.7 Ensure Samba is not enabled (Scored) +- - service_smb_disabled +- +- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) +- - service_dovecot_disabled +- +- ### 2.2.9 Ensure HTTP server is not enabled (Scored) +- - service_httpd_disabled +- +- ### 2.2.10 Ensure FTP Server is not enabled (Scored) +- - service_vsftpd_disabled +- +- ### 2.2.11 Ensure DNS Server is not enabled (Scored) +- - service_named_disabled +- +- ### 2.2.12 Ensure NFS is not enabled (Scored) +- - service_nfs_disabled +- +- ### 2.2.13 Ensure RPC is not enabled (Scored) +- - service_rpcbind_disabled +- +- ### 2.2.14 Ensure LDAP service is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 +- +- ### 2.2.15 Ensure DHCP Server is not enabled (Scored) +- - service_dhcpd_disabled +- +- ### 2.2.16 Ensure CUPS is not enabled (Scored) +- - service_cups_disabled +- +- ### 2.2.17 Ensure NIS Server is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 +- +- ### 2.2.18 Ensure mail transfer agent is configured for +- ### local-only mode (Scored) +- - postfix_network_listening_disabled +- +- ## 2.3 Service Clients +- +- ### 2.3.1 Ensure NIS Client is not installed (Scored) +- - package_ypbind_removed +- +- ### 2.3.2 Ensure telnet client is not installed (Scored) +- - package_telnet_removed +- +- ### Ensure LDAP client is not installed +- - package_openldap-clients_removed +- +- # 3 Network Configuration +- +- ## 3.1 Network Parameters (Host Only) +- +- ### 3.1.1 Ensure IP forwarding is disabled (Scored) +- #### net.ipv4.ip_forward = 0 +- - sysctl_net_ipv4_ip_forward +- +- #### net.ipv6.conf.all.forwarding = 0 +- - sysctl_net_ipv6_conf_all_forwarding +- +- ### 3.1.2 Ensure packet redirect sending is disabled (Scored) +- #### net.ipv4.conf.all.send_redirects = 0 +- - sysctl_net_ipv4_conf_all_send_redirects +- +- #### net.ipv4.conf.default.send_redirects = 0 +- - sysctl_net_ipv4_conf_default_send_redirects +- +- ## 3.2 Network Parameters (Host and Router) +- +- ### 3.2.1 Ensure source routed packets are not accepted (Scored) +- #### net.ipv4.conf.all.accept_source_route = 0 +- - sysctl_net_ipv4_conf_all_accept_source_route +- +- #### net.ipv4.conf.default.accept_source_route = 0 +- - sysctl_net_ipv4_conf_default_accept_source_route +- +- #### net.ipv6.conf.all.accept_source_route = 0 +- - sysctl_net_ipv6_conf_all_accept_source_route +- +- #### net.ipv6.conf.default.accept_source_route = 0 +- - sysctl_net_ipv6_conf_default_accept_source_route +- +- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.accept_redirects = 0 +- - sysctl_net_ipv4_conf_all_accept_redirects +- +- #### net.ipv4.conf.default.accept_redirects +- - sysctl_net_ipv4_conf_default_accept_redirects +- +- #### net.ipv6.conf.all.accept_redirects = 0 +- - sysctl_net_ipv6_conf_all_accept_redirects +- +- #### net.ipv6.conf.defaults.accept_redirects = 0 +- - sysctl_net_ipv6_conf_default_accept_redirects +- +- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.secure_redirects = 0 +- - sysctl_net_ipv4_conf_all_secure_redirects +- +- #### net.ipv4.cof.default.secure_redirects = 0 +- - sysctl_net_ipv4_conf_default_secure_redirects +- +- ### 3.2.4 Ensure suspicious packets are logged (Scored) +- #### net.ipv4.conf.all.log_martians = 1 +- - sysctl_net_ipv4_conf_all_log_martians +- +- #### net.ipv4.conf.default.log_martians = 1 +- - sysctl_net_ipv4_conf_default_log_martians +- +- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- +- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) +- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- +- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +- #### net.ipv4.conf.all.rp_filter = 1 +- - sysctl_net_ipv4_conf_all_rp_filter +- +- #### net.ipv4.conf.default.rp_filter = 1 +- - sysctl_net_ipv4_conf_default_rp_filter +- +- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +- - sysctl_net_ipv4_tcp_syncookies +- +- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) +- #### net.ipv6.conf.all.accept_ra = 0 +- - sysctl_net_ipv6_conf_all_accept_ra +- +- #### net.ipv6.conf.default.accept_ra = 0 +- - sysctl_net_ipv6_conf_default_accept_ra +- +- ## 3.3 Uncommon Network Protocols +- +- ### 3.3.1 Ensure DCCP is disabled (Scored) +- - kernel_module_dccp_disabled +- +- ### Ensure SCTP is disabled (Scored) +- - kernel_module_sctp_disabled +- +- ### 3.3.3 Ensure RDS is disabled (Scored) +- - kernel_module_rds_disabled +- +- ### 3.3.4 Ensure TIPC is disabled (Scored) +- - kernel_module_tipc_disabled +- +- ## 3.4 Firewall Configuration +- +- ### 3.4.1 Ensure Firewall software is installed +- +- #### 3.4.1.1 Ensure a Firewall package is installed (Scored) +- ##### firewalld +- - package_firewalld_installed +- +- ##### nftables +- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 +- +- ##### iptables +- #- package_iptables_installed +- +- ### 3.4.2 Configure firewalld +- +- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) +- - service_firewalld_enabled +- +- #### 3.4.2.2 Ensure iptables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 +- +- #### 3.4.2.3 Ensure nftables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 +- +- #### 3.4.2.4 Ensure default zone is set (Scored) +- - set_firewalld_default_zone +- +- #### 3.4.2.5 Ensure network interfaces are assigned to +- #### appropriate zone (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 +- +- #### 3.4.2.6 Ensure unnecessary services and ports are not +- #### accepted (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 +- +- ### 3.4.3 Configure nftables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 +- +- #### 3.4.3.1 Ensure iptables are flushed (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 +- +- #### 3.4.3.2 Ensure a table exists (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 +- +- #### 3.4.3.3 Ensure base chains exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 +- +- #### 3.4.3.4 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 +- +- #### 3.4.3.5 Ensure outbound and established connections are +- #### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 +- +- #### 3.4.3.6 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 +- +- #### 3.4.3.7 Ensure nftables service is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 +- +- #### 3.4.3.8 Ensure nftables rules are permanent (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 +- +- ### 3.4.4 Configure iptables +- +- #### 3.4.4.1 Configure IPv4 iptables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 +- +- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 +- +- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 +- +- ##### 3.4.4.1.3 Ensure outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 +- +- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 +- +- #### 3.4.4.2 Configure IPv6 ip6tables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 +- +- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 +- +- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 +- +- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 +- +- ## 3.5 Ensure wireless interfaces are disabled (Scored) +- - wireless_disable_interfaces +- +- ## 3.6 Disable IPv6 (Not Scored) +- - kernel_module_ipv6_option_disabled +- +- # Logging and Auditing +- +- ## 4.1 Configure System Accounting (auditd) +- +- ### 4.1.1 Ensure auditing is enabled +- +- #### 4.1.1.1 Ensure auditd is installed (Scored) +- - package_audit_installed +- +- #### 4.1.1.2 Ensure auditd service is enabled (Scored) +- - service_auditd_enabled +- +- #### 4.1.1.3 Ensure auditing for processes that start prior to audit +- #### is enabled (Scored) +- - grub2_audit_argument +- +- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) +- - grub2_audit_backlog_limit_argument +- +- ### 4.1.2 Configure Data Retention +- +- #### 4.1.2.1 Ensure audit log storage size is configured (Scored) +- - auditd_data_retention_max_log_file +- +- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) +- - auditd_data_retention_max_log_file_action +- +- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) +- - var_auditd_space_left_action=email +- - auditd_data_retention_space_left_action +- +- ##### action_mail_acct = root +- - var_auditd_action_mail_acct=root +- - auditd_data_retention_action_mail_acct +- +- ##### admin_space_left_action = halt +- - var_auditd_admin_space_left_action=halt +- - auditd_data_retention_admin_space_left_action +- +- ### 4.1.3 Ensure changes to system administration scope +- ### (sudoers) is collected (Scored) +- - audit_rules_sysadmin_actions +- +- ### 4.1.4 Ensure login and logout events are collected (Scored) +- - audit_rules_login_events_faillock +- - audit_rules_login_events_lastlog +- +- ### 4.1.5 Ensure session initiation information is collected (Scored) +- - audit_rules_session_events +- +- ### 4.1.6 Ensure events that modify date and time information +- ### are collected (Scored) +- #### adjtimex +- - audit_rules_time_adjtimex +- +- #### settimeofday +- - audit_rules_time_settimeofday +- +- #### stime +- - audit_rules_time_stime +- +- #### clock_settime +- - audit_rules_time_clock_settime +- +- #### -w /etc/localtime -p wa +- - audit_rules_time_watch_localtime +- +- ### 4.1.7 Ensure events that modify the system's Mandatory +- ### Access Control are collected (Scored) +- #### -w /etc/selinux/ -p wa +- - audit_rules_mac_modification +- +- #### -w /usr/share/selinux/ -p wa +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 +- +- ### 4.1.8 Ensure events that modify the system's network +- ### enironment are collected (Scored) +- - audit_rules_networkconfig_modification +- +- ### 4.1.9 Ensure discretionary access control permission modification +- ### events are collected (Scored) +- - audit_rules_dac_modification_chmod +- - audit_rules_dac_modification_fchmod +- - audit_rules_dac_modification_fchmodat +- - audit_rules_dac_modification_chown +- - audit_rules_dac_modification_fchown +- - audit_rules_dac_modification_fchownat +- - audit_rules_dac_modification_lchown +- - audit_rules_dac_modification_setxattr +- - audit_rules_dac_modification_lsetxattr +- - audit_rules_dac_modification_fsetxattr +- - audit_rules_dac_modification_removexattr +- - audit_rules_dac_modification_lremovexattr +- - audit_rules_dac_modification_fremovexattr +- +- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are +- ### collected (Scored) +- - audit_rules_unsuccessful_file_modification_creat +- - audit_rules_unsuccessful_file_modification_open +- - audit_rules_unsuccessful_file_modification_openat +- - audit_rules_unsuccessful_file_modification_truncate +- - audit_rules_unsuccessful_file_modification_ftruncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at +- +- ### 4.1.11 Ensure events that modify user/group information are +- ### collected (Scored) +- - audit_rules_usergroup_modification_passwd +- - audit_rules_usergroup_modification_group +- - audit_rules_usergroup_modification_gshadow +- - audit_rules_usergroup_modification_shadow +- - audit_rules_usergroup_modification_opasswd +- +- ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- - audit_rules_media_export +- +- ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- - audit_rules_privileged_commands +- +- ### 4.1.14 Ensure file deletion events by users are collected +- ### (Scored) +- - audit_rules_file_deletion_events_unlink +- - audit_rules_file_deletion_events_unlinkat +- - audit_rules_file_deletion_events_rename +- - audit_rules_file_deletion_events_renameat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir +- +- ### 4.1.15 Ensure kernel module loading and unloading is collected +- ### (Scored) +- - audit_rules_kernel_module_loading +- +- ### 4.1.16 Ensure system administrator actions (sudolog) are +- ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 +- +- ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- - audit_rules_immutable +- +- ## 4.2 Configure Logging +- +- ### 4.2.1 Configure rsyslog +- +- #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- - package_rsyslog_installed +- +- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- - service_rsyslog_enabled +- +- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- - rsyslog_files_permissions +- +- #### 4.2.1.4 Ensure logging is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 +- +- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote +- #### log host (Scored) +- - rsyslog_remote_loghost +- +- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on +- #### designated log hosts (Not Scored) +- - rsyslog_nolisten +- +- ### 4.2.2 Configure journald +- +- #### 4.2.2.1 Ensure journald is configured to send logs to +- #### rsyslog (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 +- +- #### 4.2.2.2 Ensure journald is configured to compress large +- #### log files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 +- +- +- #### 4.2.2.3 Ensure journald is configured to write logfiles to +- #### persistent disk (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 +- +- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 +- +- ## 4.3 Ensure logrotate is configured (Not Scored) +- +- # 5 Access, Authentication and Authorization +- +- ## 5.1 Configure cron +- +- ### 5.1.1 Ensure cron daemon is enabled (Scored) +- - service_crond_enabled +- +- +- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +- # chown root:root /etc/crontab +- - file_owner_crontab +- - file_groupowner_crontab +- # chmod og-rwx /etc/crontab +- - file_permissions_crontab +- +- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +- # chown root:root /etc/cron.hourly +- - file_owner_cron_hourly +- - file_groupowner_cron_hourly +- # chmod og-rwx /etc/cron.hourly +- - file_permissions_cron_hourly +- +- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +- # chown root:root /etc/cron.daily +- - file_owner_cron_daily +- - file_groupowner_cron_daily +- # chmod og-rwx /etc/cron.daily +- - file_permissions_cron_daily +- +- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +- # chown root:root /etc/cron.weekly +- - file_owner_cron_weekly +- - file_groupowner_cron_weekly +- # chmod og-rwx /etc/cron.weekly +- - file_permissions_cron_weekly +- +- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +- # chown root:root /etc/cron.monthly +- - file_owner_cron_monthly +- - file_groupowner_cron_monthly +- # chmod og-rwx /etc/cron.monthly +- - file_permissions_cron_monthly +- +- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) +- # chown root:root /etc/cron.d +- - file_owner_cron_d +- - file_groupowner_cron_d +- # chmod og-rwx /etc/cron.d +- - file_permissions_cron_d +- +- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) +- +- +- ## 5.2 SSH Server Configuration +- +- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) +- # chown root:root /etc/ssh/sshd_config +- - file_owner_sshd_config +- - file_groupowner_sshd_config +- +- # chmod og-rwx /etc/ssh/sshd_config +- - file_permissions_sshd_config +- +- ### 5.2.2 Ensure SSH access is limited (Scored) +- +- +- ### 5.2.3 Ensure permissions on SSH private host key files are +- ### configured (Scored) +- # TO DO: The rule sets to 640, but benchmark wants 600 +- - file_permissions_sshd_private_key +- # TO DO: check owner of private keys in /etc/ssh is root:root +- +- ### 5.2.4 Ensure permissions on SSH public host key files are configured +- ### (Scored) +- - file_permissions_sshd_pub_key +- # TO DO: check owner of pub keys in /etc/ssh is root:root +- +- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) +- - sshd_set_loglevel_info +- +- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) +- - sshd_disable_x11_forwarding +- +- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +- - sshd_max_auth_tries_value=4 +- - sshd_set_max_auth_tries +- +- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) +- - sshd_disable_rhosts +- +- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) +- - disable_host_auth +- +- ### 5.2.10 Ensure SSH root login is disabled (Scored) +- - sshd_disable_root_login +- +- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) +- - sshd_disable_empty_passwords +- +- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) +- - sshd_do_not_permit_user_env +- +- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) +- # ClientAliveInterval 300 +- - sshd_idle_timeout_value=5_minutes +- - sshd_set_idle_timeout +- +- # ClientAliveCountMax 0 +- - var_sshd_set_keepalive=0 +- - sshd_set_keepalive_0 +- +- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute +- ### or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 +- +- ### 5.2.15 Ensure SSH warning banner is configured (Scored) +- - sshd_enable_warning_banner +- +- ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 +- +- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) +- - sshd_disable_tcp_forwarding +- +- ### 5.2.18 Ensure SSH MaxStartups is configured (Scored) +- - sshd_set_maxstartups +- - var_sshd_set_maxstartups=10:30:60 +- +- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) +- - sshd_set_max_sessions +- - var_sshd_max_sessions=4 +- +- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) +- - configure_ssh_crypto_policy +- +- ## 5.3 Configure authselect +- +- +- ### 5.3.1 Create custom authselectet profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 +- +- ### 5.3.2 Select authselect profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 +- +- ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 +- +- ## 5.4 Configure PAM +- +- ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 +- - accounts_password_pam_retry +- - var_password_pam_minlen=14 +- - accounts_password_pam_minlen +- - var_password_pam_minclass=4 +- - accounts_password_pam_minclass +- +- ### 5.4.2 Ensure lockout for failed password attempts is +- ### configured (Scored) +- - var_accounts_passwords_pam_faillock_unlock_time=900 +- - var_accounts_passwords_pam_faillock_deny=5 +- - accounts_passwords_pam_faillock_unlock_time +- - accounts_passwords_pam_faillock_deny +- +- ### 5.4.3 Ensure password reuse is limited (Scored) +- - var_password_pam_unix_remember=5 +- - accounts_password_pam_unix_remember +- +- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- - set_password_hashing_algorithm_systemauth +- +- ## 5.5 User Accounts and Environment +- +- ### 5.5.1 Set Shadow Password Suite Parameters +- +- #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- - var_accounts_maximum_age_login_defs=365 +- - accounts_maximum_age_login_defs +- +- #### 5.5.1.2 Ensure minimum days between password changes is 7 +- #### or more (Scored) +- - var_accounts_minimum_age_login_defs=7 +- - accounts_minimum_age_login_defs +- +- #### 5.5.1.3 Ensure password expiration warning days is +- #### 7 or more (Scored) +- - var_accounts_password_warn_age_login_defs=7 +- - accounts_password_warn_age_login_defs +- +- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # TODO: Rule doesn't check list of users +- # https://github.com/ComplianceAsCode/content/issues/5536 +- - var_account_disable_post_pw_expiration=30 +- - account_disable_post_pw_expiration +- +- #### 5.5.1.5 Ensure all users last password change date is +- #### in the past (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 +- +- ### 5.5.2 Ensure system accounts are secured (Scored) +- - no_shelllogin_for_systemaccounts +- +- ### 5.5.3 Ensure default user shell timeout is 900 seconds +- ### or less (Scored) +- - var_accounts_tmout=15_min +- - accounts_tmout +- +- ### 5.5.4 Ensure default group for the root account is +- ### GID 0 (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 +- +- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- - var_accounts_user_umask=027 +- - accounts_umask_etc_bashrc +- - accounts_umask_etc_profile +- +- ## 5.6 Ensure root login is restricted to system console (Not Scored) +- - securetty_root_login_console_only +- - no_direct_root_logins +- +- ## 5.7 Ensure access to the su command is restricted (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 +- +- # System Maintenance +- +- ## 6.1 System File Permissions +- +- ### 6.1.1 Audit system file permissions (Not Scored) +- - rpm_verify_permissions +- - rpm_verify_ownership +- +- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +- # chown root:root /etc/passwd +- - file_owner_etc_passwd +- - file_groupowner_etc_passwd +- +- # chmod 644 /etc/passwd +- - file_permissions_etc_passwd +- +- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +- # chown root:root /etc/shadow +- - file_owner_etc_shadow +- - file_groupowner_etc_shadow +- +- # chmod o-rwx,g-wx /etc/shadow +- - file_permissions_etc_shadow +- +- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) +- # chown root:root /etc/group +- - file_owner_etc_group +- - file_groupowner_etc_group +- +- # chmod 644 /etc/group +- - file_permissions_etc_group +- +- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) +- # chown root:root /etc/gshadow +- - file_owner_etc_gshadow +- - file_groupowner_etc_gshadow +- +- # chmod o-rwx,g-rw /etc/gshadow +- - file_permissions_etc_gshadow +- +- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +- # chown root:root /etc/passwd- +- - file_owner_backup_etc_passwd +- - file_groupowner_backup_etc_passwd +- +- # chmod 644 /etc/passwd- +- - file_permissions_backup_etc_passwd +- +- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +- # chown root:root /etc/shadow- +- - file_owner_backup_etc_shadow +- - file_groupowner_backup_etc_shadow +- +- # chmod 0000 /etc/shadow- +- - file_permissions_backup_etc_shadow +- +- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) +- # chown root:root /etc/group- +- - file_owner_backup_etc_group +- - file_groupowner_backup_etc_group +- +- # chmod 644 /etc/group- +- - file_permissions_backup_etc_group +- +- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) +- # chown root:root /etc/gshadow- +- - file_owner_backup_etc_gshadow +- - file_groupowner_backup_etc_gshadow +- +- # chmod 0000 /etc/gshadow- +- - file_permissions_backup_etc_gshadow +- +- ### 6.1.10 Ensure no world writable files exist (Scored) +- - file_permissions_unauthorized_world_writable +- +- ### 6.1.11 Ensure no unowned files or directories exist (Scored) +- - no_files_unowned_by_user +- +- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) +- - file_permissions_ungroupowned +- +- ### 6.1.13 Audit SUID executables (Not Scored) +- - file_permissions_unauthorized_suid +- +- ### 6.1.14 Audit SGID executables (Not Scored) +- - file_permissions_unauthorized_sgid +- +- ## 6.2 User and Group Settings +- +- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +- - no_legacy_plus_entries_etc_passwd +- +- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +- - no_legacy_plus_entries_etc_shadow +- +- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) +- - no_legacy_plus_entries_etc_group +- +- ### 6.2.6 Ensure root is the only UID 0 account (Scored) +- - accounts_no_uid_except_zero +- +- ### 6.2.7 Ensure users' home directories permissions are 750 +- ### or more restrictive (Scored) +- - file_permissions_home_dirs +- +- ### 6.2.8 Ensure users own their home directories (Scored) +- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 +- - file_groupownership_home_directories +- +- ### 6.2.9 Ensure users' dot files are not group or world +- ### writable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 +- +- ### 6.2.10 Ensure no users have .forward files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 +- +- ### 6.2.11 Ensure no users have .netrc files (Scored) +- - no_netrc_files +- +- ### 6.2.12 Ensure users' .netrc Files are not group or +- ### world accessible (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 +- +- ### 6.2.13 Ensure no users have .rhosts files (Scored) +- - no_rsh_trust_files +- +- ### 6.2.14 Ensure all groups in /etc/passwd exist in +- ### /etc/group (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 +- +- ### 6.2.15 Ensure no duplicate UIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 +- +- ### 6.2.16 Ensure no duplicate GIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 +- +- ### 6.2.17 Ensure no duplicate user names exist (Scored) +- - account_unique_name +- +- ### 6.2.18 Ensure no duplicate group names exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 +- +- ### 6.2.19 Ensure shadow group is empty (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 +- +- ### 6.2.20 Ensure all users' home directories exist (Scored) +- - accounts_user_interactive_home_directory_exists ++ - cis_rhel8:all:l2_server +diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile +new file mode 100644 +index 00000000000..7b4518e15a5 +--- /dev/null ++++ b/products/rhel8/profiles/cis_server_l1.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 1 - Server" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l1_server +diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile +new file mode 100644 +index 00000000000..230e4c2f0ba +--- /dev/null ++++ b/products/rhel8/profiles/cis_workstation_l1.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 1 - Workstation" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l1_workstation +diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile +new file mode 100644 +index 00000000000..c0d1698c2f0 +--- /dev/null ++++ b/products/rhel8/profiles/cis_workstation_l2.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 2 - Workstation" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l2_workstation + +From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 1 Jul 2021 16:35:19 +0100 +Subject: [PATCH 02/55] Add CIS control file for RHEL 8 + +--- + controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 758 insertions(+) + create mode 100644 controls/cis_rhel8.yml + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +new file mode 100644 +index 00000000000..a84bb078e34 +--- /dev/null ++++ b/controls/cis_rhel8.yml +@@ -0,0 +1,758 @@ ++policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' ++title: 'CIS Benchmark for Red Hat Enterprise Linux 8' ++id: cis_rhel8 ++version: '1.0.1' ++source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux ++levels: ++ - id: l1_server ++ - id: l2_server ++ inherits_from: ++ - l1_server ++ - id: l1_workstation ++ - id: l2_workstation ++ inherits_from: ++ - l1_workstation ++ ++controls: ++ - id: reload_dconf_db ++ title: Reload Dconf database ++ levels: ++ - l1_server ++ - l1_workstation ++ notes: <- ++ This is a helper rule to reload Dconf datbase correctly. ++ automated: yes ++ rules: ++ - dconf_db_up_to_date ++ ++ - id: 1.1.1.1 ++ title: Ensure mounting of cramfs filesystems is disabled (Automated) ++ levels: ++ - l1_workstation ++ - l1_server ++ automated: yes ++ rules: ++ - kernel_module_cramfs_disabled ++ ++ - id: 1.1.1.2 ++ title: Ensure mounting of vFAT filesystems is limited (Manual) ++ levels: ++ - l2_workstation ++ - l2_server ++ automated: no ++ related_rules: ++ - kernel_module_vfat_disabled ++ ++ - id: 1.1.1.3 ++ title: Ensure mounting of squashfs filesystems is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - kernel_module_squashfs_disabled ++ ++ - id: 1.1.1.4 ++ title: Ensure mounting of udf filesystems is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - kernel_module_udf_disabled ++ ++ - id: 1.1.2 ++ title: Ensure /tmp is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - partition_for_tmp ++ ++ - id: 1.1.3 ++ title: Ensure nodev option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_nodev ++ ++ - id: 1.1.4 ++ title: Ensure nosuid option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_nosuid ++ ++ - id: 1.1.5 ++ title: Ensure noexec option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_noexec ++ ++ - id: 1.1.6 ++ title: Ensure separate partition exists for /var (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var ++ ++ - id: 1.1.7 ++ title: Ensure separate partition exists for /var/tmp (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_tmp ++ ++ - id: 1.1.8 ++ title: Ensure nodev option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_nodev ++ ++ - id: 1.1.9 ++ title: Ensure nosuid option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_nosuid ++ ++ - id: 1.1.10 ++ title: Ensure noexec option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_noexec ++ ++ - id: 1.1.11 ++ title: Ensure separate partition exists for /var/log (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_log ++ ++ - id: 1.1.12 ++ title: Ensure separate partition exists for /var/log/audit (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_log_audit ++ ++ - id: 1.1.13 ++ title: Ensure separate partition exists for /home (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_home ++ ++ - id: 1.1.18 ++ title: Ensure nodev option set on /home partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_home_nodev ++ ++ - id: 1.1.15 ++ title: Ensure nodev option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_nodev ++ ++ - id: 1.1.16 ++ title: Ensure nosuid option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_nosuid ++ ++ - id: 1.1.17 ++ title: Ensure noexec option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_noexec ++ ++ - id: 1.1.18 ++ title: Ensure nodev option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_nodev_removable_partitions ++ ++ - id: 1.1.19 ++ title: Ensure nosuid option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_nosuid_removable_partitions ++ ++ - id: 1.1.20 ++ title: Ensure noexec option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_noexec_removable_partitions ++ ++ - id: 1.1.22 ++ title: Disable Automounting (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_autofs_disabled ++ ++ - id: 1.1.23 ++ title: Disable USB Storage (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_usb-storage_disabled ++ ++ - id: 1.2.1 ++ title: Ensure Red Hat Subscription Manager connection is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.2.2 ++ title: Disable the rhnsd Daemon (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - service_rhnsd_disabled ++ ++ - id: 1.2.3 ++ title: Ensure GPG keys are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - ensure_redhat_gpgkey_installed ++ ++ - id: 1.2.4 ++ title: Ensure gpgcheck is globally activated (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - ensure_gpgcheck_globally_activated ++ ++ - id: 1.2.5 ++ title: Ensure package manager repositories are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.3.1 ++ title: Ensure sudo is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_sudo_installed ++ ++ - id: 1.3.2 ++ title: Ensure sudo commands use pty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sudo_add_use_pty ++ ++ - id: 1.3.3 ++ title: Ensure sudo log file exists (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sudo_custom_logfile ++ ++ - id: 1.4.1 ++ title: Ensure AIDE is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_aide_installed ++ ++ - id: 1.4.2 ++ title: Ensure filesystem integrity is regularly checked (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - aide_periodic_cron_checking ++ ++ - id: 1.5.1 ++ title: Ensure permissions on bootloader config are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - file_permissions_grub2_cfg ++ ++ - id: 1.5.1 ++ title: Ensure bootloader password is set (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - grub2_password ++ ++ - id: 1.5.3 ++ title: Ensure authentication required for single user mode (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ ++ - id: 1.6.1 ++ title: Ensure core dumps are restricted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - disable_users_coredumps ++ - sysctl_fs_suid_dumpable ++ - coredump_disable_backtraces ++ - coredump_disable_storage ++ ++ - id: 1.6.2 ++ title: Ensure address space layout randomization (ASLR) is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_kernel_randomize_va_space ++ ++ - id: 1.7.1.1 ++ title: Ensure SELinux is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_libselinux_installed ++ ++ - id: 1.7.1.1 ++ title: Ensure SELinux is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_libselinux_installed ++ ++ - id: 1.7.1.2 ++ title: Ensure SELinux is not disabled in bootloader configuration (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_enable_selinux ++ ++ - id: 1.7.1.3 ++ title: Ensure SELinux policy is configured (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ - id: 1.7.1.4 ++ title: Ensure the SELinux state is enforcing (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_selinux_state=enforcing ++ - selinux_state ++ ++ - id: 1.7.1.5 ++ title: Ensure no unconfined services exist (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - selinux_confinement_of_daemons ++ ++ - id: 1.7.1.6 ++ title: Ensure SETroubleshoot is not installed (Automated) ++ levels: ++ - l2_server ++ automated: yes ++ rules: ++ - package_setroubleshoot_removed ++ ++ - id: 1.7.1.7 ++ title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_mcstrans_removed ++ ++ - id: 1.8.1.1 ++ title: Ensure message of the day is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - banner_etc_motd ++ ++ - id: 1.8.1.2 ++ title: Ensure local login warning banner is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - banner_etc_issue ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5225 ++ - id: 1.8.1.3 ++ title: Ensure remote login warning banner is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.8.1.4 ++ title: Ensure permissions on /etc/motd are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_etc_motd ++ ++ - id: 1.8.1.5 ++ title: Ensure permissions on /etc/issue are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_etc_issue ++ ++ - id: 1.8.2 ++ title: Ensure GDM login banner is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - dconf_gnome_banner_enabled ++ - dconf_gnome_login_banner_text ++ ++ - id: 1.9 ++ title: Ensure updates, patches, and additional security software are installed (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - security_patches_up_to_date ++ ++ - id: 1.10 ++ title: Ensure system-wide crypto policy is not legacy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - configure_crypto_policy ++ ++ # This rule works in conjunction with the configure_crypto_policy above. ++ # If a system is remediated to CIS Level 1, just the rule above will apply ++ # and will enforce the default value for var_system_crypto_policy (DEFAULT). ++ # If the system is remediated to Level 2 then this rule will be selected, ++ # and the value applied by the rule above will will be overridden to ++ # FUTURE through the var_system_crypto_policy variable. ++ - id: 1.11 ++ title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_system_crypto_policy=future ++ ++ - id: 2.1.1 ++ title: Ensure xinetd is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_xinetd_removed ++ ++ - id: 2.2.1.1 ++ title: Ensure time synchronization is in use (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - package_chrony_installed ++ ++ - id: 2.1.1 ++ title: Ensure chrony is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user ++ ++ - id: 2.2.2 ++ title: Ensure chrony is configured (Automated) ++ levels: ++ - l1_server ++ automated: yes ++ rules: ++ - package_xorg-x11-server-common_removed ++ - xwindows_runlevel_target ++ ++ - id: 2.2.3 ++ title: Ensure rsync service is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rsyncd_disabled ++ ++ - id: 2.2.4 ++ title: Ensure Avahi Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_avahi-daemon_disabled ++ ++ - id: 2.2.5 ++ title: Ensure SNMP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_snmpd_disabled ++ ++ - id: 2.2.6 ++ title: Ensure HTTP Proxy Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_squid_removed ++ ++ - id: 2.2.7 ++ title: Ensure Samba is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_smb_disabled ++ ++ - id: 2.2.8 ++ title: Ensure IMAP and POP3 server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_dovecot_disabled ++ ++ - id: 2.2.9 ++ title: Ensure HTTP server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_httpd_disabled ++ ++ - id: 2.2.10 ++ title: Ensure FTP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_vsftpd_disabled ++ ++ - id: 2.2.11 ++ title: Ensure DNS Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_named_disabled ++ ++ - id: 2.2.12 ++ title: Ensure NFS is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_nfs_disabled ++ ++ - id: 2.2.13 ++ title: Ensure RPC is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rpcbind_disabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5231 ++ - id: 2.2.14 ++ title: Ensure RPC is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 2.2.15 ++ title: Ensure DHCP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_dhcpd_disabled ++ ++ - id: 2.2.16 ++ title: Ensure CUPS is not enabled (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_cups_disabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5232 ++ - id: 2.2.17 ++ title: Ensure NIS Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 2.2.18 ++ title: Ensure mail transfer agent is configured for local-only mode (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - postfix_network_listening_disabled ++ ++ - id: 2.3.1 ++ title: Ensure NIS Client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_ypbind_removed ++ ++ - id: 2.3.2 ++ title: Ensure telnet client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_telnet_removed ++ ++ - id: 2.3.3 ++ title: Ensure LDAP client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_openldap-clients_removed + +From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 2 Jul 2021 20:47:49 +0100 +Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file + +--- + controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 726 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a84bb078e34..b63dc6cf9e1 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -712,8 +712,8 @@ controls: + rules: + - service_cups_disabled + +- # NEEDS RULE +- # https://github.com/ComplianceAsCode/content/issues/5232 ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5232 + - id: 2.2.17 + title: Ensure NIS Server is not enabled (Automated) + levels: +@@ -756,3 +756,727 @@ controls: + automated: yes + rules: + - package_openldap-clients_removed ++ ++ - id: 3.1.1 ++ title: Ensure IP forwarding is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_forwarding ++ ++ - id: 3.1.2 ++ title: Ensure packet redirect sending is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ ++ - id: 3.2.1 ++ title: Ensure source routed packets are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ ++ - id: 3.2.2 ++ title: Ensure ICMP redirects are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ ++ - id: 3.2.3 ++ title: Ensure secure ICMP redirects are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ ++ - id: 3.2.4 ++ title: Ensure suspicious packets are logged (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians ++ ++ - id: 3.2.5 ++ title: Ensure broadcast ICMP requests are ignored (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ ++ - id: 3.2.6 ++ title: Ensure bogus ICMP responses are ignored (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ ++ - id: 3.2.7 ++ title: Ensure Reverse Path Filtering is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter ++ ++ - id: 3.2.8 ++ title: Ensure TCP SYN Cookies is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ - id: 3.2.8 ++ title: Ensure TCP SYN Cookies is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ - id: 3.2.9 ++ title: Ensure IPv6 router advertisements are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra ++ ++ - id: 3.3.1 ++ title: Ensure DCCP is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_dccp_disabled ++ ++ - id: 3.3.2 ++ title: Ensure SCTP is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_sctp_disabled ++ ++ - id: 3.3.3 ++ title: Ensure RDS is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_rds_disabled ++ ++ - id: 3.3.4 ++ title: Ensure TIPC is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_tipc_disabled ++ ++ # NEEDS RULE ++ # This rule is currently quite opinionated and expects firewalld ++ # as the installed firewall package. But, as per the CIS control, ++ # this rule should also be satisfied by nftables or iptables. ++ - id: 3.4.1.1 ++ title: Ensure a Firewall package is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_firewalld_installed ++ ++ - id: 3.4.2.1 ++ title: Ensure firewalld service is enabled and running (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_firewalld_enabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5238 ++ - id: 3.4.2.2 ++ title: Ensure iptables service is not enabled with firewalld (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5239 ++ - id: 3.4.2.3 ++ title: Ensure nftables is not enabled with firewalld (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.2.4 ++ title: Ensure firewalld default zone is set (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - set_firewalld_default_zone ++ ++ - id: 3.4.2.5 ++ title: Ensure network interfaces are assigned to appropriate zone (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.2.6 ++ title: Ensure firewalld drops unnecessary services and ports (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.3.1 ++ title: Ensure iptables are flushed with nftables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5244 ++ - id: 3.4.3.2 ++ title: Ensure an nftables table exists (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5245 ++ - id: 3.4.3.3 ++ title: Ensure nftables base chains exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5246 ++ - id: 3.4.3.4 ++ title: Ensure nftables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.3.5 ++ title: Ensure nftables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5248 ++ - id: 3.4.3.6 ++ title: Ensure nftables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5249 ++ - id: 3.4.3.7 ++ title: Ensure nftables service is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5250 ++ - id: 3.4.3.8 ++ title: Ensure nftables rules are permanent (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5252 ++ - id: 3.4.4.1.1 ++ title: Ensure iptables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5253 ++ - id: 3.4.4.1.2 ++ title: Ensure iptables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.4.1.3 ++ title: Ensure iptables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5255 ++ - id: 3.4.4.1.4 ++ title: Ensure iptables firewall rules exist for all open ports (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7190 ++ - id: 3.4.4.1.5 ++ title: Ensure iptables is enabled and active (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5257 ++ - id: 3.4.4.2.1 ++ title: Ensure ip6tables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5258 ++ - id: 3.4.4.2.2 ++ title: Ensure ip6tables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.4.2.3 ++ title: Ensure ip6tables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7191 ++ - id: 3.4.4.2.4 ++ title: Ensure ip6tables firewall rules exist for all open ports (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7192 ++ - id: 3.4.4.2.5 ++ title: Ensure ip6tables is enabled and active (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.5 ++ title: Ensure wireless interfaces are disabled (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - wireless_disable_interfaces ++ ++ - id: 3.6 ++ title: Disable IPv6 (Manual) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_ipv6_option_disabled ++ ++ - id: 4.1.1.1 ++ title: Ensure auditd is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_audit_installed ++ ++ - id: 4.1.1.2 ++ title: Ensure auditd service is enabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_auditd_enabled ++ ++ - id: 4.1.1.3 ++ title: Ensure auditing for processes that start prior to auditd is enabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_audit_argument ++ ++ - id: 4.1.1.4 ++ title: Ensure audit_backlog_limit is sufficient (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_audit_backlog_limit_argument ++ ++ - id: 4.1.2.1 ++ title: Ensure audit log storage size is configured (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_max_log_file ++ ++ - id: 4.1.2.2 ++ title: Ensure audit logs are not automatically deleted (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_max_log_file_action ++ ++ - id: 4.1.2.3 ++ title: Ensure system is disabled when audit logs are full (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_action_mail_acct ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_space_left_action ++ - var_auditd_action_mail_acct=root ++ - var_auditd_admin_space_left_action=halt ++ - var_auditd_space_left_action=email ++ ++ - id: 4.1.3 ++ title: Ensure changes to system administration scope (sudoers) is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_sysadmin_actions ++ ++ - id: 4.1.4 ++ title: Ensure login and logout events are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ ++ - id: 4.1.5 ++ title: Ensure session initiation information is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_session_events ++ ++ - id: 4.1.6 ++ title: Ensure events that modify date and time information are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_watch_localtime ++ ++ # NEEDS RULE ++ # -w /usr/share/selinux/ -p wa ++ # https://github.com/ComplianceAsCode/content/issues/5264 ++ - id: 4.1.7 ++ title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_mac_modification ++ ++ - id: 4.1.8 ++ title: Ensure events that modify the system's network environment are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_networkconfig_modification ++ ++ - id: 4.1.9 ++ title: Ensure discretionary access control permission modification events are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ ++ - id: 4.1.10 ++ title: Ensure unsuccessful unauthorized file access attempts are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ ++ - id: 4.1.11 ++ title: Ensure events that modify user/group information are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow ++ ++ - id: 4.1.12 ++ title: Ensure successful file system mounts are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_media_export ++ ++ - id: 4.1.13 ++ title: Ensure use of privileged commands is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_privileged_commands ++ ++ - id: 4.1.14 ++ title: Ensure file deletion events by users are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir ++ ++ - id: 4.1.15 ++ title: Ensure kernel module loading and unloading is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_kernel_module_loading ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5516 ++ - id: 4.1.16 ++ title: Ensure system administrator actions (sudolog) are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: no ++ ++ - id: 4.1.17 ++ title: Ensure the audit configuration is immutable (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_immutable ++ ++ - id: 4.2.1.1 ++ title: Ensure rsyslog is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_rsyslog_installed ++ ++ - id: 4.2.1.2 ++ title: Ensure rsyslog Service is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rsyslog_enabled ++ ++ - id: 4.2.1.3 ++ title: Ensure rsyslog default file permissions configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - rsyslog_files_permissions ++ ++ - id: 4.2.1.4 ++ title: Ensure logging is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 4.2.1.5 ++ title: Ensure rsyslog is configured to send logs to a remote log host (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - rsyslog_remote_loghost ++ ++ - id: 4.2.1.6 ++ title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - rsyslog_nolisten ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5520 ++ - id: 4.2.2.1 ++ title: Ensure journald is configured to send logs to rsyslog (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5521 ++ - id: 4.2.2.2 ++ title: Ensure journald is configured to compress large log files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5522 ++ - id: 4.2.2.3 ++ title: Ensure journald is configured to write logfiles to persistent disk (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5523 ++ - id: 4.2.3 ++ title: Ensure permissions on all logfiles are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 4.3 ++ title: Ensure logrotate is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no + +From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:08:31 +0100 +Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file + +--- + controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 460 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index b63dc6cf9e1..85c821bc60d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1480,3 +1480,463 @@ controls: + - l1_server + - l1_workstation + automated: no ++ ++ - id: 5.1.1 ++ title: Ensure cron daemon is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_crond_enabled ++ ++ - id: 5.1.2 ++ title: Ensure permissions on /etc/crontab are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ ++ - id: 5.1.3 ++ title: Ensure permissions on /etc/cron.hourly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ ++ - id: 5.1.4 ++ title: Ensure permissions on /etc/cron.daily are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ ++ - id: 5.1.5 ++ title: Ensure permissions on /etc/cron.weekly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ ++ - id: 5.1.6 ++ title: Ensure permissions on /etc/cron.monthly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ ++ - id: 5.1.7 ++ title: Ensure permissions on /etc/cron.d are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7195 ++ - id: 5.1.8 ++ title: Ensure at/cron is restricted to authorized users (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.1 ++ title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7196 ++ - id: 5.2.2 ++ title: Ensure SSH access is limited (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # TODO ++ # Rule sets permissions to 0640 but benchmark wants it to be 0600 ++ # ++ # TODO ++ # Check owner of private keys in /etc/ssh is root:root ++ - id: 5.2.3 ++ title: Ensure permissions on SSH private host key files are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_sshd_private_key ++ ++ # TODO ++ # Check owner of public keys in /etc/ssh is root:root ++ - id: 5.2.4 ++ title: Ensure permissions on SSH public host key files are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_sshd_pub_key ++ ++ - id: 5.2.5 ++ title: Ensure SSH LogLevel is appropriate (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_loglevel_info ++ ++ - id: 5.2.6 ++ title: Ensure SSH X11 forwarding is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_x11_forwarding ++ ++ - id: 5.2.7 ++ title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ ++ - id: 5.2.8 ++ title: Ensure SSH IgnoreRhosts is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_rhosts ++ ++ - id: 5.2.9 ++ title: Ensure SSH HostbasedAuthentication is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - disable_host_auth ++ ++ - id: 5.2.10 ++ title: Ensure SSH root login is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_root_login ++ ++ - id: 5.2.11 ++ title: Ensure SSH PermitEmptyPasswords is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_empty_passwords ++ ++ - id: 5.2.12 ++ title: Ensure SSH PermitUserEnvironment is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_do_not_permit_user_env ++ ++ - id: 5.2.13 ++ title: Ensure SSH Idle Timeout Interval is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_idle_timeout_value=5_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive_0 ++ - var_sshd_set_keepalive=0 ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5525 ++ - id: 5.2.14 ++ title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.15 ++ title: Ensure SSH warning banner is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_enable_warning_banner ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5526 ++ - id: 5.2.16 ++ title: Ensure SSH PAM is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.17 ++ title: Ensure SSH AllowTcpForwarding is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - sshd_disable_tcp_forwarding ++ ++ - id: 5.2.18 ++ title: Ensure SSH MaxStartups is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_maxstartups ++ ++ - id: 5.2.19 ++ title: Ensure SSH MaxSessions is set to 4 or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=4 ++ ++ - id: 5.2.20 ++ title: Ensure system-wide crypto policy is not over-ridden (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - configure_ssh_crypto_policy ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5530 ++ - id: 5.3.1 ++ title: Create custom authselect profile (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5531 ++ - id: 5.3.2 ++ title: Select authselect profile (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5532 ++ - id: 5.3.2 ++ title: Ensure authselect includes with-faillock (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE: try_first_pass ++ # https://github.com/ComplianceAsCode/content/issues/5533 ++ - id: 5.4.1 ++ title: Ensure password creation requirements are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ ++ - id: 5.4.2 ++ title: Ensure lockout for failed password attempts is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_unlock_time ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ ++ - id: 5.4.3 ++ title: Ensure password reuse is limited (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_pam_unix_remember ++ - var_password_pam_unix_remember=5 ++ ++ - id: 5.4.4 ++ title: Ensure password hashing algorithm is SHA-512 (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - set_password_hashing_algorithm_systemauth ++ ++ - id: 5.5.1.1 ++ title: Ensure password expiration is 365 days or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_maximum_age_login_defs ++ - var_accounts_maximum_age_login_defs=365 ++ ++ - id: 5.5.1.2 ++ title: Ensure minimum days between password changes is 7 or more (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_minimum_age_login_defs ++ - var_accounts_minimum_age_login_defs=7 ++ ++ - id: 5.5.1.3 ++ title: Ensure password expiration warning days is 7 or more (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_warn_age_login_defs ++ - var_accounts_password_warn_age_login_defs=7 ++ ++ # TODO ++ # Rule doesn't check list of users ++ - id: 5.5.1.4 ++ title: Ensure inactive password lock is 30 days or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5537 ++ - id: 5.5.1.5 ++ title: Ensure all users last password change date is in the past (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.5.2 ++ title: Ensure system accounts are secured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_shelllogin_for_systemaccounts ++ ++ - id: 5.5.3 ++ title: Ensure default user shell timeout is 900 seconds or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5539 ++ - id: 5.5.4 ++ title: Ensure default group for the root account is GID 0 (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.5.5 ++ title: Ensure default user umask is 027 or more restrictive (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile ++ - var_accounts_user_umask=027 ++ ++ - id: 5.6 ++ title: Ensure root login is restricted to system console (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - no_direct_root_logins ++ - securetty_root_login_console_only ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5541 ++ - id: 5.7 ++ title: Ensure access to the su command is restricted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no + +From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:33:15 +0100 +Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file + +--- + controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 325 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 85c821bc60d..bc77e25d122 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1940,3 +1940,328 @@ controls: + - l1_server + - l1_workstation + automated: no ++ ++ - id: 6.1.1 ++ title: Audit system file permissions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ ++ - id: 6.1.2 ++ title: Ensure permissions on /etc/passwd are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_passwd ++ - file_owner_etc_passwd ++ - file_permissions_etc_passwd ++ ++ - id: 6.1.3 ++ title: Ensure permissions on /etc/passwd- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ ++ - id: 6.1.4 ++ title: Ensure permissions on /etc/shadow are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ ++ - id: 6.1.5 ++ title: Ensure permissions on /etc/shadow- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ ++ - id: 6.1.6 ++ title: Ensure permissions on /etc/gshadow are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_permissions_etc_gshadow ++ ++ - id: 6.1.7 ++ title: Ensure permissions on /etc/gshadow- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow ++ ++ - id: 6.1.8 ++ title: Ensure permissions on /etc/group are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ ++ - id: 6.1.9 ++ title: Ensure permissions on /etc/group- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ ++ - id: 6.1.10 ++ title: Ensure no world writable files exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_unauthorized_world_writable ++ ++ - id: 6.1.11 ++ title: Ensure no unowned files or directories exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_files_unowned_by_user ++ ++ - id: 6.1.12 ++ title: Ensure no ungrouped files or directories exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_ungroupowned ++ ++ - id: 6.1.13 ++ title: Audit SUID executables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - file_permissions_unauthorized_suid ++ ++ - id: 6.1.14 ++ title: Audit SGID executables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - file_permissions_unauthorized_sgid ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7197 ++ - id: 6.2.1 ++ title: Ensure password fields are not empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.2 ++ title: Ensure no legacy "+" entries exist in /etc/passwd (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_passwd ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7198 ++ - id: 6.2.3 ++ title: Ensure root PATH Integrity (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.4 ++ title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_shadow ++ ++ - id: 6.2.5 ++ title: Ensure no legacy "+" entries exist in /etc/group (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_group ++ ++ - id: 6.2.6 ++ title: Ensure root is the only UID 0 account (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_no_uid_except_zero ++ ++ - id: 6.2.7 ++ title: Ensure users' home directories permissions are 750 or more restrictive (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_home_dirs ++ ++ # NEEDS RULE (for user ownership) ++ # https://github.com/ComplianceAsCode/content/issues/5507 ++ - id: 6.2.8 ++ title: Ensure users own their home directories (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupownership_home_directories ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5506 ++ - id: 6.2.9 ++ title: Ensure users' dot files are not group or world writable (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5505 ++ - id: 6.2.10 ++ title: Ensure no users have .forward files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.11 ++ title: Ensure no users have .netrc files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_netrc_files ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5504 ++ - id: 6.2.12 ++ title: Ensure users' .netrc Files are not group or world accessible (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.13 ++ title: Ensure no users have .rhosts files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_rsh_trust_files ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5503 ++ - id: 6.2.14 ++ title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5502 ++ - id: 6.2.15 ++ title: Ensure no duplicate UIDs exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5501 ++ - id: 6.2.16 ++ title: Ensure no duplicate GIDs exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.17 ++ title: Ensure no duplicate user names exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - account_unique_name ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5500 ++ - id: 6.2.18 ++ title: Ensure no duplicate group names exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5499 ++ - id: 6.2.19 ++ title: Ensure shadow group is empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.20 ++ title: Ensure shadow group is empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_user_interactive_home_directory_exists + +From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:36:01 +0100 +Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint + +--- + controls/cis_rhel8.yml | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index bc77e25d122..161a2aac58e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1,3 +1,4 @@ ++--- + policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' + title: 'CIS Benchmark for Red Hat Enterprise Linux 8' + id: cis_rhel8 +@@ -1597,7 +1598,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - file_permissions_sshd_private_key ++ - file_permissions_sshd_private_key + + # TODO + # Check owner of public keys in /etc/ssh is root:root +@@ -1608,7 +1609,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - file_permissions_sshd_pub_key ++ - file_permissions_sshd_pub_key + + - id: 5.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) +@@ -1617,7 +1618,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_set_loglevel_info ++ - sshd_set_loglevel_info + + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) +@@ -1626,7 +1627,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding + + - id: 5.2.7 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + +From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 9 Jul 2021 00:11:57 +0100 +Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR + +--- + controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 161a2aac58e..c93d6128ca4 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -170,7 +170,7 @@ controls: + rules: + - partition_for_home + +- - id: 1.1.18 ++ - id: 1.1.14 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server +@@ -212,7 +212,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_nodev_removable_partitions + + - id: 1.1.19 +@@ -221,7 +221,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_nosuid_removable_partitions + + - id: 1.1.20 +@@ -230,9 +230,18 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_noexec_removable_partitions + ++ - id: 1.1.21 ++ title: Ensure sticky bit is set on all world-writable directories (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - dir_perms_world_writable_sticky_bits ++ + - id: 1.1.22 + title: Disable Automounting (Automated) + levels: +@@ -348,7 +357,7 @@ controls: + - file_groupowner_grub2_cfg + - file_permissions_grub2_cfg + +- - id: 1.5.1 ++ - id: 1.5.2 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server +@@ -356,6 +365,7 @@ controls: + automated: yes + rules: + - grub2_password ++ - grub2_uefi_password + + - id: 1.5.3 + title: Ensure authentication required for single user mode (Automated) +@@ -397,15 +407,6 @@ controls: + rules: + - package_libselinux_installed + +- - id: 1.7.1.1 +- title: Ensure SELinux is installed (Automated) +- levels: +- - l2_server +- - l2_workstation +- automated: yes +- rules: +- - package_libselinux_installed +- + - id: 1.7.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: +@@ -469,6 +470,7 @@ controls: + automated: yes + rules: + - banner_etc_motd ++ - login_banner_text=usgcb_default + + - id: 1.8.1.2 + title: Ensure local login warning banner is configured properly (Automated) +@@ -478,6 +480,7 @@ controls: + automated: yes + rules: + - banner_etc_issue ++ - login_banner_text=usgcb_default + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5225 +@@ -495,6 +498,8 @@ controls: + - l1_workstation + automated: yes + rules: ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd + - file_permissions_etc_motd + + - id: 1.8.1.5 +@@ -504,8 +509,19 @@ controls: + - l1_workstation + automated: yes + rules: ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue + - file_permissions_etc_issue + ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7225 ++ - id: 1.8.1.6 ++ title: Ensure permissions on /etc/issue.net are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: +@@ -515,6 +531,7 @@ controls: + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text ++ - login_banner_text=usgcb_default + + - id: 1.9 + title: Ensure updates, patches, and additional security software are installed (Manual) + +From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 14:21:02 +0100 +Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional + on merge of #7226) + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index c93d6128ca4..9140711fb66 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -550,6 +550,7 @@ controls: + automated: yes + rules: + - configure_crypto_policy ++ - var_system_crypto_policy=default + + # This rule works in conjunction with the configure_crypto_policy above. + # If a system is remediated to CIS Level 1, just the rule above will apply + +From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 14:34:41 +0100 +Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules + +--- + controls/cis_rhel8.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 9140711fb66..782dc7666f3 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -585,7 +585,7 @@ controls: + related_rules: + - package_chrony_installed + +- - id: 2.1.1 ++ - id: 2.2.1.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server +@@ -597,13 +597,12 @@ controls: + - chronyd_run_as_chrony_user + + - id: 2.2.2 +- title: Ensure chrony is configured (Automated) ++ title: Ensure X Window System is not installed (Automated) + levels: + - l1_server + automated: yes + rules: +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target ++ - xwindows_remove_packages + + - id: 2.2.3 + title: Ensure rsync service is not enabled (Automated) +@@ -639,7 +638,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - package_squid_removed ++ - package_squid_disabled + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) +@@ -707,7 +706,7 @@ controls: + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5231 + - id: 2.2.14 +- title: Ensure RPC is not enabled (Automated) ++ title: Ensure LDAP server is not enabled (Automated) + levels: + - l1_server + - l1_workstation +@@ -748,6 +747,7 @@ controls: + automated: yes + rules: + - postfix_network_listening_disabled ++ - var_postfix_inet_interfaces=loopback-only + + - id: 2.3.1 + title: Ensure NIS Client is not installed (Automated) + +From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 15:03:09 +0100 +Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules + +--- + controls/cis_rhel8.yml | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 782dc7666f3..1d34337411f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -785,6 +785,7 @@ controls: + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled + + - id: 3.1.2 + title: Ensure packet redirect sending is disabled (Automated) +@@ -804,9 +805,13 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + + - id: 3.2.2 + title: Ensure ICMP redirects are not accepted (Automated) +@@ -816,9 +821,13 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + + - id: 3.2.3 + title: Ensure secure ICMP redirects are not accepted (Automated) +@@ -828,7 +837,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + + - id: 3.2.4 + title: Ensure suspicious packets are logged (Automated) +@@ -838,7 +849,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians_value=enabled + + - id: 3.2.5 + title: Ensure broadcast ICMP requests are ignored (Automated) +@@ -848,6 +861,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + + - id: 3.2.6 + title: Ensure bogus ICMP responses are ignored (Automated) +@@ -857,6 +871,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + + - id: 3.2.7 + title: Ensure Reverse Path Filtering is enabled (Automated) +@@ -866,7 +881,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + + - id: 3.2.8 + title: Ensure TCP SYN Cookies is enabled (Automated) +@@ -876,15 +893,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_tcp_syncookies +- +- - id: 3.2.8 +- title: Ensure TCP SYN Cookies is enabled (Automated) +- levels: +- - l1_server +- - l1_workstation +- automated: yes +- rules: +- - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies_value=enabled + + - id: 3.2.9 + title: Ensure IPv6 router advertisements are not accepted (Automated) +@@ -894,7 +903,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + + - id: 3.3.1 + title: Ensure DCCP is disabled (Automated) + +From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 20 Jul 2021 08:43:10 +0100 +Subject: [PATCH 11/55] Update controls/cis_rhel8.yml + +Co-authored-by: vojtapolasek +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 1d34337411f..2acf9aef28d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -638,7 +638,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - package_squid_disabled ++ - service_squid_disabled + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) + +From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 30 Jul 2021 22:13:25 +0100 +Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2acf9aef28d..e63fc57ddea 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -351,7 +351,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # This rule, as implemented here, does not check for a user.cfg file + rules: + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + +From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 30 Jul 2021 22:19:14 +0100 +Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1 + +--- + controls/cis_rhel8.yml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e63fc57ddea..2163655d9d3 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -353,8 +353,11 @@ controls: + - l1_workstation + automated: partially # This rule, as implemented here, does not check for a user.cfg file + rules: +- - file_owner_grub2_cfg ++ - file_groupowner_efi_grub2_cfg + - file_groupowner_grub2_cfg ++ - file_owner_efi_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_efi_grub2_cfg + - file_permissions_grub2_cfg + + - id: 1.5.2 + +From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:11:38 +0100 +Subject: [PATCH 14/55] Update controls/cis_rhel8.yml + +Co-authored-by: vojtapolasek +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2163655d9d3..aa9c2b6c809 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1655,7 +1655,7 @@ controls: + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) + levels: +- - l1_server ++ - l2_server + - l1_workstation + automated: yes + rules: + +From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:22:44 +0100 +Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index aa9c2b6c809..af874fd789e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1234,6 +1234,7 @@ controls: + automated: yes + rules: + - auditd_data_retention_max_log_file_action ++ - var_auditd_max_log_file_action=keep_logs + + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + +From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:31:20 +0100 +Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6 + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index af874fd789e..af1314325ab 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1225,6 +1225,7 @@ controls: + automated: yes + rules: + - auditd_data_retention_max_log_file ++ - var_auditd_max_log_file=6 + + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + +From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:36:48 +0100 +Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not + directly align with CIS + +--- + controls/cis_rhel8.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index af1314325ab..a81a9ef4605 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1284,11 +1284,10 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes ++ automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime +- - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + +From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:37:25 +0100 +Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve + full automation + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a81a9ef4605..cba86f40c9e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1299,7 +1299,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes ++ automated: partial + rules: + - audit_rules_mac_modification + + +From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:38:54 +0100 +Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not + align with the benchmark + +--- + controls/cis_rhel8.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index cba86f40c9e..6e8c5cf10f0 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1345,8 +1345,6 @@ controls: + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at + + - id: 4.1.11 + title: Ensure events that modify user/group information are collected (Automated) + +From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:41:13 +0100 +Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation + key + +--- + controls/cis_rhel8.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 6e8c5cf10f0..829f0515cb0 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1284,7 +1284,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. ++ automated: partially # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime +@@ -1299,7 +1299,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: partial ++ automated: partially + rules: + - audit_rules_mac_modification + + +From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:42:57 +0100 +Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not + align exactly with the benchmark + +--- + controls/cis_rhel8.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 829f0515cb0..76a7c8bbfa9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1373,8 +1373,9 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes +- rules: ++ automated: no ++ related_rules: ++ # The rule below is almost correct but cannot be used as it does not set the perm=x flag. + - audit_rules_privileged_commands + + - id: 4.1.14 + +From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:44:03 +0100 +Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not + align with the benchmark + +--- + controls/cis_rhel8.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 76a7c8bbfa9..e6a53516666 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1389,8 +1389,6 @@ controls: + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir + + - id: 4.1.15 + title: Ensure kernel module loading and unloading is collected (Automated) + +From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:47:53 +0100 +Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does + not align with the benchmark + +--- + controls/cis_rhel8.yml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e6a53516666..327400abd65 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1435,14 +1435,15 @@ controls: + rules: + - service_rsyslog_enabled + ++ # NEEDS RULE ++ # The rsyslog_files_permissions rule is not sufficient ++ # https://github.com/ComplianceAsCode/content/issues/7332 + - id: 4.2.1.3 + title: Ensure rsyslog default file permissions configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - rsyslog_files_permissions ++ automated: no + + - id: 4.2.1.4 + title: Ensure logging is configured (Manual) + +From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:52:17 +0100 +Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align + perfectly with the benchmark + +--- + controls/cis_rhel8.yml | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 327400abd65..f5a8ce45848 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1452,14 +1452,15 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # The rsyslog_remote_loghost rule is not sufficient ++ # https://github.com/ComplianceAsCode/content/issues/7333 + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - rsyslog_remote_loghost ++ automated: no + + - id: 4.2.1.6 + title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) +@@ -1617,19 +1618,15 @@ controls: + - l1_workstation + automated: no + +- # TODO +- # Rule sets permissions to 0640 but benchmark wants it to be 0600 +- # +- # TODO +- # Check owner of private keys in /etc/ssh is root:root ++ # NEEDS RULE ++ # The file_permissions_sshd_private_key rule is not aligned with the benchmark ++ # https://github.com/ComplianceAsCode/content/issues/7334 + - id: 5.2.3 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - file_permissions_sshd_private_key ++ automated: no + + # TODO + # Check owner of public keys in /etc/ssh is root:root + +From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:53:10 +0100 +Subject: [PATCH 25/55] 5.2.4 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index f5a8ce45848..0e3fa99d32e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1635,7 +1635,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - file_permissions_sshd_pub_key + + +From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:55:32 +0100 +Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used + properly + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0e3fa99d32e..439b3265fe9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1721,7 +1721,7 @@ controls: + rules: + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout +- - sshd_set_keepalive_0 ++ - sshd_set_keepalive + - var_sshd_set_keepalive=0 + + # NEEDS RULE + +From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 08:47:24 +0100 +Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely + with CIS benchmark + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 439b3265fe9..92ac0dd85c5 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -595,9 +595,9 @@ controls: + - l1_workstation + automated: yes + rules: +- - service_chronyd_enabled + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user ++ - var_multiple_time_servers=rhel + + - id: 2.2.2 + title: Ensure X Window System is not installed (Automated) + +From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 08:54:14 +0100 +Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file + +--- + controls/cis_rhel8.yml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 92ac0dd85c5..565974817f1 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1645,7 +1645,12 @@ controls: + - l1_server + - l1_workstation + automated: yes ++ # The CIS benchmark is not opinionated about which loglevel is selected ++ # here. Here, this profile uses VERBOSE by default, as it allows for ++ # the capture of login and logout activity as well as key fingerprints. + rules: ++ - sshd_set_loglevel_verbose ++ related_rules: + - sshd_set_loglevel_info + + - id: 5.2.6 + +From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:00:17 +0100 +Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses + wrong path) + +--- + controls/cis_rhel8.yml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 565974817f1..53f024fffea 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1738,14 +1738,16 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # The current sshd_enable_warning_banner rule uses /etc/issue instead ++ # of the /etc/issue.net that the benchmark expects. ++ # + - id: 5.2.15 + title: Ensure SSH warning banner is configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - sshd_enable_warning_banner ++ automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5526 + +From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:00:48 +0100 +Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups + rule in RHEL 8 CIS profile + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 53f024fffea..3345a37d098 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1775,6 +1775,7 @@ controls: + automated: yes + rules: + - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 + + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + +From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:19:43 +0100 +Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits + for vs the one in the control title + +--- + controls/cis_rhel8.yml | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 3345a37d098..3b6219f3296 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1777,6 +1777,13 @@ controls: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + ++ # The title of this control does not appear to match the suggested audit and ++ # remediation in the CIS Benchmark version 1.0.1 - this profile uses the ++ # value from the audit and remediation sections of the benchmark rather than ++ # from the title. ++ # ++ # An upstream ticket has been opened about this issue: ++ # https://workbench.cisecurity.org/community/14/tickets/13414 + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + levels: +@@ -1785,7 +1792,7 @@ controls: + automated: yes + rules: + - sshd_set_max_sessions +- - var_sshd_max_sessions=4 ++ - var_sshd_max_sessions=10 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + +From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:20:45 +0100 +Subject: [PATCH 32/55] Fix rule ID for 5.3.3 + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 3b6219f3296..55c8378529d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1823,7 +1823,7 @@ controls: + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5532 +- - id: 5.3.2 ++ - id: 5.3.3 + title: Ensure authselect includes with-faillock (Automated) + levels: + - l1_server + +From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:23:40 +0100 +Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2 + +--- + controls/cis_rhel8.yml | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 55c8378529d..c7f651994d6 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1845,17 +1845,14 @@ controls: + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7337 + - id: 5.4.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - accounts_passwords_pam_faillock_deny +- - accounts_passwords_pam_faillock_unlock_time +- - var_accounts_passwords_pam_faillock_deny=5 +- - var_accounts_passwords_pam_faillock_unlock_time=900 ++ automated: no + + - id: 5.4.3 + title: Ensure password reuse is limited (Automated) + +From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:29:15 +0100 +Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated + +--- + controls/cis_rhel8.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index c7f651994d6..10816e1ba35 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1830,14 +1830,15 @@ controls: + - l1_workstation + automated: no + +- # NEEDS RULE: try_first_pass ++ # NEEDS RULE ++ # try_first_pass + # https://github.com/ComplianceAsCode/content/issues/5533 + - id: 5.4.1 + title: Ensure password creation requirements are configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - accounts_password_pam_minclass + - accounts_password_pam_minlen + +From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:37:15 +0100 +Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited" + rule from RHEL 7 + +--- + controls/cis_rhel8.yml | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 10816e1ba35..0ea36362832 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1861,9 +1861,15 @@ controls: + - l1_server + - l1_workstation + automated: yes +- rules: +- - accounts_password_pam_unix_remember +- - var_password_pam_unix_remember=5 ++ notes: |- ++ Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. ++ See here for more details about pam_unix.so: ++ https://bugzilla.redhat.com/show_bug.cgi?id=1778929 ++ rules: ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 + + - id: 5.4.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) + +From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:41:13 +0100 +Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0ea36362832..be46d870965 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1876,7 +1876,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark. + rules: + - set_password_hashing_algorithm_systemauth + + +From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:42:57 +0100 +Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index be46d870965..e41c2eb4dae 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1885,7 +1885,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + +From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:44:17 +0100 +Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e41c2eb4dae..0b2b3d04621 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1895,7 +1895,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control. + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + +From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:47:22 +0100 +Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0b2b3d04621..70312f6399a 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1905,7 +1905,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control. + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + +From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:47:54 +0100 +Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated + +--- + controls/cis_rhel8.yml | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 70312f6399a..42dbf14c816 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1910,14 +1910,12 @@ controls: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + +- # TODO +- # Rule doesn't check list of users + - id: 5.5.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + +From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 15:17:53 +0100 +Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 42dbf14c816..e8e340e0c36 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1724,7 +1724,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_idle_timeout_value=5_minutes ++ - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + +From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:12:47 +0100 +Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated + +--- + controls/cis_rhel8.yml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e8e340e0c36..2d534d95072 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1929,12 +1929,15 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # We are missing the component of this control which locks non-root system accounts ++ # https://github.com/ComplianceAsCode/content/issues/7352 + - id: 5.5.2 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - no_shelllogin_for_systemaccounts + + +From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:17:13 +0100 +Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2d534d95072..784af3e0fe9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1946,7 +1946,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark + rules: + - accounts_tmout + - var_accounts_tmout=15_min + +From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:21:39 +0100 +Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated + +--- + controls/cis_rhel8.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 784af3e0fe9..045e219d90f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1965,9 +1965,10 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark + rules: + - accounts_umask_etc_bashrc ++ - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + + +From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:23:32 +0100 +Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by + use_pam_wheel_for_su + +--- + controls/cis_rhel8.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 045e219d90f..84a3269afc6 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1989,7 +1989,9 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: no ++ automated: partially ++ rules: ++ - use_pam_wheel_for_su + + - id: 6.1.1 + title: Audit system file permissions (Manual) + +From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:31:56 +0100 +Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3 + +--- + controls/cis_rhel8.yml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 84a3269afc6..d02f2cbbf86 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2154,14 +2154,15 @@ controls: + rules: + - no_legacy_plus_entries_etc_passwd + +- # NEEDS RULE +- # https://github.com/ComplianceAsCode/content/issues/7198 + - id: 6.2.3 + title: Ensure root PATH Integrity (Automated) + levels: + - l1_server + - l1_workstation +- automated: no ++ automated: yes ++ rules: ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot + + - id: 6.2.4 + title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) + +From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:34:47 +0100 +Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without + OVAL checks or remediations + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index d02f2cbbf86..a3f3d4e6d4f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2196,8 +2196,8 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. ++ related_rules: + - file_permissions_home_dirs + + # NEEDS RULE (for user ownership) +@@ -2207,7 +2207,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. + rules: + - file_groupownership_home_directories + + +From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:35:23 +0100 +Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL + checks or remediations + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a3f3d4e6d4f..cfefd245300 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2311,10 +2311,10 @@ controls: + automated: no + + - id: 6.2.20 +- title: Ensure shadow group is empty (Automated) ++ title: Ensure all users' home directories exist (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. ++ related_rules: + - accounts_user_interactive_home_directory_exists + +From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:38:11 +0100 +Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because + it also checks for finit_module syscall + +--- + controls/cis_rhel8.yml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index cfefd245300..e8d3f24ccbb 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1397,7 +1397,11 @@ controls: + - l2_workstation + automated: yes + rules: +- - audit_rules_kernel_module_loading ++ - audit_rules_kernel_module_loading_delete ++ - audit_rules_kernel_module_loading_init ++ - audit_rules_privileged_commands_insmod ++ - audit_rules_privileged_commands_modprobe ++ - audit_rules_privileged_commands_rmmod + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5516 + +From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Mon, 9 Aug 2021 11:49:56 +0100 +Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control + is not automated + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e8d3f24ccbb..a624d06cb56 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2128,7 +2128,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - file_permissions_unauthorized_suid + + - id: 6.1.14 +@@ -2137,7 +2137,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - file_permissions_unauthorized_sgid + + # NEEDS RULE +@@ -2212,7 +2212,7 @@ controls: + - l1_server + - l1_workstation + automated: no # The rule below exists, but does not have any OVAL checks or remediations. +- rules: ++ related_rules: + - file_groupownership_home_directories + + # NEEDS RULE + +From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 10 Aug 2021 09:12:18 +0100 +Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream + Draft Benchmark 1.1.0 + +--- + controls/cis_rhel8.yml | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a624d06cb56..bff2200ce12 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1782,11 +1782,11 @@ controls: + - var_sshd_set_maxstartups=10:30:60 + + # The title of this control does not appear to match the suggested audit and +- # remediation in the CIS Benchmark version 1.0.1 - this profile uses the +- # value from the audit and remediation sections of the benchmark rather than +- # from the title. ++ # remediation in the CIS Benchmark version 1.0.1 ++ # ++ # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0 ++ # which confirms that '4' is the intended value for this control. + # +- # An upstream ticket has been opened about this issue: + # https://workbench.cisecurity.org/community/14/tickets/13414 + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) +@@ -1796,7 +1796,7 @@ controls: + automated: yes + rules: + - sshd_set_max_sessions +- - var_sshd_max_sessions=10 ++ - var_sshd_max_sessions=4 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + +From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 11 Aug 2021 10:37:23 +0100 +Subject: [PATCH 52/55] Control to disable IPv6 should not be automated + +--- + controls/cis_rhel8.yml | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index bff2200ce12..29d972427cf 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1177,9 +1177,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes +- rules: +- - kernel_module_ipv6_option_disabled ++ automated: no + + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) + +From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:09:48 +0100 +Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8 + +--- + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 1 + + .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 1 + + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 4 ---- + 5 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index 24a0feaf0aa..748d9d9d188 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -21,6 +21,7 @@ severity: unknown + + identifiers: + cce@rhel7: CCE-80199-3 ++ cce@rhel8: CCE-85914-0 + + references: + cis-csc: 11,3,9 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +index 288b6706b03..f44e85a059a 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83430-9 ++ cce@rhel8: CCE-85915-7 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +index edcda693591..a9468d00ddc 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83429-1 ++ cce@rhel8: CCE-85913-2 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +index 6e636a7caf7..bc4fdcc7e04 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83431-7 ++ cce@rhel8: CCE-85912-4 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 3b24e19da06..179412e8961 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -42,10 +42,6 @@ CCE-85907-4 + CCE-85908-2 + CCE-85909-0 + CCE-85911-6 +-CCE-85912-4 +-CCE-85913-2 +-CCE-85914-0 +-CCE-85915-7 + CCE-85916-5 + CCE-85917-3 + CCE-85918-1 + +From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:15:15 +0100 +Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules + +--- + .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + + .../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 + + .../root_logins/use_pam_wheel_for_su/rule.yml | 1 + + .../root_paths/accounts_root_path_dirs_no_write/rule.yml | 1 + + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../user_umask/accounts_umask_etc_login_defs/rule.yml | 1 + + 6 files changed, 6 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +index 2ffb01a3983..ee54a53dfd4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +@@ -27,6 +27,7 @@ identifiers: + + references: + cis@rhel7: 5.3.5 ++ cis@rhel8: 5.2.5 + disa: CCI-000067 + nerc-cip: CIP-007-3 R7.1 + nist: AC-17(a),AC-17(1),CM-6(a) +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +index c548b1e3ea2..935766db26d 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +@@ -41,6 +41,7 @@ identifiers: + + references: + cis@rhel7: 2.2.2 ++ cis@rhel8: 2.2.2 + disa: CCI-000366 + nist: CM-6(b) + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index 984a8cf333e..616a0aa0052 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -24,6 +24,7 @@ identifiers: + + references: + cis@rhel7: "5.7" ++ cis@rhel8: 5.7 + cis@sle15: '5.6' + cis@ubuntu2004: '5.6' + ospp: FMT_SMF_EXT.1.1 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +index 81c30174c71..057701075e5 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +@@ -23,6 +23,7 @@ identifiers: + references: + cis-csc: 11,3,9 + cis@rhel7: 6.2.10 ++ cis@rhel8: 6.2.3 + cis@sle15: 6.2.4 + cis@ubuntu2004: 6.2.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index 748d9d9d188..c94de8fa3e6 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -26,6 +26,7 @@ identifiers: + references: + cis-csc: 11,3,9 + cis@rhel7: 6.2.10 ++ cis@rhel8: 6.2.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + disa: CCI-000366 + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3 +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +index 46e81737199..51f8e51fa6a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +@@ -25,6 +25,7 @@ references: + anssi: BP28(R35) + cis-csc: 11,18,3,9 + cis@rhel7: 5.5.5 ++ cis@rhel8: 5.5.5 + cis@ubuntu2004: 5.4.4 + cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05 + disa: CCI-000366 + +From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:25:45 +0100 +Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an + integer + +--- + .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index 616a0aa0052..08677cbb7dc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -24,7 +24,7 @@ identifiers: + + references: + cis@rhel7: "5.7" +- cis@rhel8: 5.7 ++ cis@rhel8: "5.7" + cis@sle15: '5.6' + cis@ubuntu2004: '5.6' + ospp: FMT_SMF_EXT.1.1 diff --git a/SOURCES/scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch b/SOURCES/scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch new file mode 100644 index 0000000..3b7f835 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch @@ -0,0 +1,699 @@ +From ad2267a48db738fe69bed6cc009d8be7bbc61c87 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 17 Jun 2021 17:46:26 +0200 +Subject: [PATCH] Add /var/log/audit individual ownership rules. + +--- + .../bash/shared.sh | 12 +++++ + .../oval/shared.xml | 44 +++++++++++++++++++ + .../rule.yml | 39 ++++++++++++++++ + .../tests/correct_value.pass.sh | 5 +++ + .../correct_value_non-root_group.pass.sh | 8 ++++ + .../tests/wrong_value.fail.sh | 6 +++ + .../bash/shared.sh | 3 ++ + .../oval/shared.xml | 24 ++++++++++ + .../rule.yml | 37 ++++++++++++++++ + .../tests/correct_value.pass.sh | 3 ++ + .../tests/wrong_value.fail.sh | 4 ++ + .../bash/shared.sh | 12 +++++ + .../oval/shared.xml | 44 +++++++++++++++++++ + .../rule.yml | 39 ++++++++++++++++ + .../tests/correct_value.pass.sh | 5 +++ + .../correct_value_non-root_group.pass.sh | 8 ++++ + .../tests/wrong_value.fail.sh | 7 +++ + .../bash/shared.sh | 3 ++ + .../oval/shared.xml | 24 ++++++++++ + .../rule.yml | 36 +++++++++++++++ + .../tests/correct_value.pass.sh | 3 ++ + .../tests/wrong_value.fail.sh | 5 +++ + products/rhel8/profiles/stig.profile | 15 +++++-- + .../oval/auditd_conf_log_group_not_root.xml | 20 ++++++++- + shared/references/cce-redhat-avail.txt | 4 -- + .../data/profile_stability/rhel8/stig.profile | 5 ++- + .../profile_stability/rhel8/stig_gui.profile | 5 ++- + 27 files changed, 409 insertions(+), 11 deletions(-) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh +new file mode 100644 +index 00000000000..685aa0cf3f2 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/bash/shared.sh +@@ -0,0 +1,12 @@ ++# platform = multi_platform_all ++ ++if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then ++ GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') ++ if ! [ "${GROUP}" == 'root' ] ; then ++ chgrp ${GROUP} /var/log/audit ++ else ++ chgrp root /var/log/audit ++ fi ++else ++ chgrp root /var/log/audit ++fi +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml +new file mode 100644 +index 00000000000..4d6eee02a30 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/oval/shared.xml +@@ -0,0 +1,44 @@ ++ ++ ++ {{{ oval_metadata("Checks that all /var/log/audit directories are group owned by the root user.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ++ state_group_owner_not_root_var_log_audit_directories ++ ++ ++ ++ 0 ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ++ state_group_owner_not_root_var_log_audit_directories-non_root ++ ++ ++ ++ 0 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml +new file mode 100644 +index 00000000000..3915300c106 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'System Audit Directories Must Be Group Owned By Root' ++ ++description: |- ++ All audit directories must be group owned by root user. By default, the path for audit log is
      /var/log/audit/
      . ++ {{{ describe_file_group_owner(file="/var/log/audit", group="root") }}} ++ If log_group in /etc/audit/auditd.conf is set to a group other than the root ++ group account, change the group ownership of the audit directories to this specific group. ++ ++rationale: |- ++ Unauthorized disclosure of audit records can reveal system and configuration data to ++ attackers, thus compromising its confidentiality. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-88225-8 ++ ++references: ++ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ cjis: 5.4.1.1 ++ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 ++ cui: 3.3.1 ++ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' ++ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 ++ nist: CM-6(a),AC-6(1),AU-9(4) ++ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.5.1 ++ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 ++ stigid@rhel8: RHEL-08-030110 ++ ++ocil: |- ++ {{{ describe_file_group_owner(file="/var/log/audit", group="root") }}} ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..4e68a450c3d +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf ++echo "log_group = root" >> /etc/audit/auditd.conf ++chgrp root /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh +new file mode 100644 +index 00000000000..89995b11954 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++groupadd group_test ++ ++sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf ++echo "log_group = group_test" >> /etc/audit/auditd.conf ++ ++chgrp group_test /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..13d22ca8361 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_group_ownership_var_log_audit/tests/wrong_value.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf ++echo "log_group = root" >> /etc/audit/auditd.conf ++groupadd group_test ++chgrp group_test /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh +new file mode 100644 +index 00000000000..de63152c410 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++chown root /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml +new file mode 100644 +index 00000000000..fad17abe39a +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/oval/shared.xml +@@ -0,0 +1,24 @@ ++ ++ ++ {{{ oval_metadata("Checks that all /var/log/audit directories are owned by the root user.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ++ state_owner_not_root_var_log_audit_directories ++ ++ ++ ++ 0 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml +new file mode 100644 +index 00000000000..cd6c45e249b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/rule.yml +@@ -0,0 +1,37 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'System Audit Directories Must Be Owned By Root' ++ ++description: |- ++ All audit directories must be owned by root user. By default, the path for audit log is
      /var/log/audit/
      . ++ {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} ++ ++rationale: |- ++ Unauthorized disclosure of audit records can reveal system and configuration data to ++ attackers, thus compromising its confidentiality. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-88226-6 ++ ++references: ++ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ cjis: 5.4.1.1 ++ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 ++ cui: 3.3.1 ++ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' ++ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 ++ nist: CM-6(a),AC-6(1),AU-9(4) ++ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.5.1 ++ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 ++ stigid@rhel8: RHEL-08-030100 ++ ++ocil: |- ++ {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..fa70fdc9494 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/correct_value.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++chown root /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..f65a1e67241 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_ownership_var_log_audit/tests/wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++useradd testuser_123 ++chown testuser_123 /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh +new file mode 100644 +index 00000000000..3f53de5ba26 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/bash/shared.sh +@@ -0,0 +1,12 @@ ++# platform = multi_platform_all ++ ++if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then ++ GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') ++ if ! [ "${GROUP}" == 'root' ] ; then ++ chgrp ${GROUP} /var/log/audit/audit.log* ++ else ++ chgrp root /var/log/audit/audit.log* ++ fi ++else ++ chgrp root /var/log/audit/audit.log* ++fi +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml +new file mode 100644 +index 00000000000..af5414a6c9c +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/oval/shared.xml +@@ -0,0 +1,44 @@ ++ ++ ++ {{{ oval_metadata("Checks that all /var/log/audit files are group owned by the root user.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ^.*$ ++ state_group_owner_not_root_var_log_audit ++ ++ ++ ++ 0 ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ^.*$ ++ state_group_owner_not_root_var_log_audit-non_root ++ ++ ++ ++ 0 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml +new file mode 100644 +index 00000000000..767c8c89bf7 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'System Audit Logs Must Be Group Owned By Root' ++ ++description: |- ++ All audit logs must be group owned by root user. By default, the path for audit log is
      /var/log/audit/
      . ++ {{{ describe_file_group_owner(file="/var/log/audit/*", group="root") }}} ++ If log_group in /etc/audit/auditd.conf is set to a group other than the root ++ group account, change the group ownership of the audit logs to this specific group. ++ ++rationale: |- ++ Unauthorized disclosure of audit records can reveal system and configuration data to ++ attackers, thus compromising its confidentiality. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-88227-4 ++ ++references: ++ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ cjis: 5.4.1.1 ++ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 ++ cui: 3.3.1 ++ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' ++ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 ++ nist: CM-6(a),AC-6(1),AU-9(4) ++ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.5.1 ++ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 ++ stigid@rhel8: RHEL-08-030090 ++ ++ocil: |- ++ {{{ describe_file_group_owner(file="/var/log/audit/*", group="root") }}} ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..e4e69bff538 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf ++echo "log_group = root" >> /etc/audit/auditd.conf ++chgrp root /var/log/audit/audit.log* +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh +new file mode 100644 +index 00000000000..89995b11954 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++groupadd group_test ++ ++sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf ++echo "log_group = group_test" >> /etc/audit/auditd.conf ++ ++chgrp group_test /var/log/audit +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..37c0f070ae1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++sed -i "/\s*log_group.*/d" /etc/audit/auditd.conf ++echo "log_group = root" >> /etc/audit/auditd.conf ++touch /var/log/audit/audit.log.1 ++groupadd group_test ++chgrp group_test /var/log/audit/audit.log.1 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh +new file mode 100644 +index 00000000000..ee2364a4a69 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++chown root /var/log/audit/audit.log* +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml +new file mode 100644 +index 00000000000..c20353b5926 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/oval/shared.xml +@@ -0,0 +1,24 @@ ++ ++ ++ {{{ oval_metadata("Checks that all /var/log/audit files are owned by the root user.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ^.*$ ++ state_group_user_owner_not_root_var_log_audit ++ ++ ++ ++ 0 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml +new file mode 100644 +index 00000000000..7f895759486 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'System Audit Logs Must Be Owned By Root' ++ ++description: |- ++ All audit logs must be owned by root user. By default, the path for audit log is
      /var/log/audit/
      . ++ {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} ++ ++rationale: |- ++ Unauthorized disclosure of audit records can reveal system and configuration data to ++ attackers, thus compromising its confidentiality. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-88228-2 ++ ++references: ++ cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ cjis: 5.4.1.1 ++ cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 ++ cui: 3.3.1 ++ disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 6.1' ++ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 ++ nist: CM-6(a),AC-6(1),AU-9(4) ++ nist-csf: DE.AE-3,DE.AE-5,PR.AC-4,PR.DS-5,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.5.1 ++ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 ++ stigid@rhel8: RHEL-08-030080 ++ ++ocil: |- ++ {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..eed3164eb31 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/correct_value.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++chown root /var/log/audit/audit.log* +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..32a678562cf +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit_stig/tests/wrong_value.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++touch /var/log/audit/audit.log.1 ++useradd testuser_123 ++chown testuser_123 /var/log/audit/audit.log.1 +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 7270a8f91f2..7d2d386604e 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -625,10 +625,17 @@ selections: + # RHEL-08-030070 + - file_permissions_var_log_audit + +- # RHEL-08-030080, RHEL-08-030090, RHEL-08-030100, RHEL-08-030110 +- ### NOTE: These might get broken up, but currently the following +- ### rule accounts for these STIG ID's +- - file_ownership_var_log_audit ++ # RHEL-08-030080 ++ - file_ownership_var_log_audit_stig ++ ++ # RHEL-08-030090 ++ - file_group_ownership_var_log_audit ++ ++ # RHEL-08-030100 ++ - directory_ownership_var_log_audit ++ ++ # RHEL-08-030110 ++ - directory_group_ownership_var_log_audit + + # RHEL-08-030120 + - directory_permissions_var_log_audit +diff --git a/shared/checks/oval/auditd_conf_log_group_not_root.xml b/shared/checks/oval/auditd_conf_log_group_not_root.xml +index 93e47d119ef..2871052796e 100644 +--- a/shared/checks/oval/auditd_conf_log_group_not_root.xml ++++ b/shared/checks/oval/auditd_conf_log_group_not_root.xml +@@ -8,9 +8,11 @@ + Verify 'log_group' is not set to 'root' in + /etc/audit/auditd.conf. + +- ++ + ++ + +
      + +@@ -26,4 +28,20 @@ + 1 + + ++ ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ^[ ]*log_group[ ]+=.*$ ++ 1 ++ ++ +
      +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 665f903ead4..b77e9abeb0b 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -2355,10 +2355,6 @@ CCE-88221-7 + CCE-88222-5 + CCE-88223-3 + CCE-88224-1 +-CCE-88225-8 +-CCE-88226-6 +-CCE-88227-4 +-CCE-88228-2 + CCE-88229-0 + CCE-88230-8 + CCE-88231-6 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 7d59cfff625..6c97a5a8ca3 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -103,6 +103,8 @@ selections: + - dir_group_ownership_library_dirs + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits ++- directory_group_ownership_var_log_audit ++- directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot +@@ -113,6 +115,7 @@ selections: + - encrypt_partitions + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages ++- file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_groupownership_home_directories +@@ -121,7 +124,7 @@ selections: + - file_owner_var_log_messages + - file_ownership_binary_dirs + - file_ownership_library_dirs +-- file_ownership_var_log_audit ++- file_ownership_var_log_audit_stig + - file_permission_user_init_files + - file_permissions_binary_dirs + - file_permissions_etc_audit_auditd +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 2c2daad6f6d..d026a40a02b 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -114,6 +114,8 @@ selections: + - dir_group_ownership_library_dirs + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits ++- directory_group_ownership_var_log_audit ++- directory_ownership_var_log_audit + - directory_permissions_var_log_audit + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot +@@ -124,6 +126,7 @@ selections: + - encrypt_partitions + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages ++- file_group_ownership_var_log_audit + - file_groupowner_var_log + - file_groupowner_var_log_messages + - file_groupownership_home_directories +@@ -132,7 +135,7 @@ selections: + - file_owner_var_log_messages + - file_ownership_binary_dirs + - file_ownership_library_dirs +-- file_ownership_var_log_audit ++- file_ownership_var_log_audit_stig + - file_permission_user_init_files + - file_permissions_binary_dirs + - file_permissions_etc_audit_auditd diff --git a/SOURCES/scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch b/SOURCES/scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch new file mode 100644 index 0000000..a131424 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch @@ -0,0 +1,664 @@ +From b951a896d3ef1e678e5d6b580521053e7a076ab0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 29 Apr 2021 16:54:03 +0200 +Subject: [PATCH 1/6] Updated checks and remediations of the sshd template. + +Configuration of sshd moves from one config file to a config directory. +Therefore, checks should consider all those files, and the remediation should aim +to deliver fixes to one of those files in the config directory. + +Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products. +--- + .../tests/commented.fail.sh | 7 ++ + .../tests/conflict.fail.sh | 15 ++++ + .../tests/correct_value_directory.pass.sh | 14 ++++ + shared/macros-bash.jinja | 9 +++ + shared/macros-oval.jinja | 61 +++++++++++------ + .../templates/sshd_lineinfile/bash.template | 22 ++++++ + .../templates/sshd_lineinfile/oval.template | 68 +++++++++++++++++-- + 7 files changed, 168 insertions(+), 28 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh +new file mode 100644 +index 00000000000..484c2165532 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then ++ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config ++else ++ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +new file mode 100644 +index 00000000000..177a99e0b82 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# platform = Fedora,Red Hat Enterprise Linux 9 ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++else ++ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config ++fi ++ ++echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config ++echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +new file mode 100644 +index 00000000000..0aa2e775dbe +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++# platform = Fedora,Red Hat Enterprise Linux 9 ++ ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/nothing ++ ++if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then ++ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ++else ++ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config ++fi ++ ++echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 1cd2c62b5e0..b4518d83c19 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -471,6 +471,15 @@ fi + LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}" + {{%- endmacro -%}} + ++{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}} ++ {{%- if insensitive -%}} ++ {{%- set modifier="Id" -%}} ++ {{%- else -%}} ++ {{%- set modifier="d" -%}} ++ {{%- endif -%}} ++LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/* ++{{%- endmacro -%}} ++ + {{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}} + {{%- if insensitive -%}} + {{%- set grep_args="-q -m 1 -i" -%}} +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index be2ac268206..d38db96d9e3 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -92,15 +92,18 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false) -%}} ++{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}} + {{%- set suffix_id = "" -%}} + {{%- set prefix_text = "Check the" -%}} + {{%- if missing_parameter_pass %}} + {{%- set suffix_id = suffix_id_default_not_overriden -%}} + {{%- set prefix_text = prefix_text + " absence of" -%}} + {{%- endif %}} +- ++{{%- if not comment -%}} ++{{%- set comment = prefix_text ~ " " ~ parameter ~ " in " ~ path -%}} ++{{%- endif -%}} ++ + {{%- endmacro %}} + + {{# +@@ -110,7 +113,7 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false) -%}} ++{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}} + {{%- set suffix_id = "" -%}} + {{%- if missing_parameter_pass %}} + {{%- set check_existence = "none_exist" -%}} +@@ -120,14 +123,14 @@ + {{%- set check_existence = "all_exist" -%}} + {{%- set prefix_text = "value" -%}} + {{%- endif %}} +- +- ++ id="test_{{{ id_stem }}}{{{ suffix_id }}}" version="1"> ++ + {{%- if not missing_parameter_pass %}} +- ++ + {{%- endif %}} +- ++ + {{%- endmacro %}} + + {{# +@@ -141,7 +144,7 @@ + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + #}} +-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='') -%}} ++{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}} + {{%- set suffix_id = "" -%}} + {{%- if multi_value -%}} + {{%- set group_regex = "([^#]*).*$" -%}} +@@ -173,16 +176,16 @@ + {{%- set regex = prefix_regex+parameter+separator_regex+group_regex -%}} + {{%- endif %}} + {{%- endif %}} +- ++ + {{%- if filepath_regex %}} +- {{{ path }}} +- {{{ filepath_regex }}} ++ {{{ path }}} ++ {{{ filepath_regex }}} + {{%- else %}} +- {{{ path }}} ++ {{{ path }}} + {{%- endif %}} +- {{{ regex }}} +- 1 +- ++ {{{ regex }}} ++ 1 ++ + {{%- endmacro %}} + + {{# +@@ -193,7 +196,7 @@ + - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. + For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. + #}} +-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}} ++{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}} + {{%- set regex = value -%}} + {{%- if quotes != "" %}} + {{%- if "\\1" in value > 0 %}} +@@ -206,9 +209,25 @@ + {{%- else %}} + {{%- set regex = "^"+regex+"$" -%}} + {{%- endif %}} +- +- {{{ regex }}} +- ++ ++ {{{ regex }}} ++ ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false) -%}} ++{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") -}}} ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false) -%}} ++{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") }}} ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}} ++{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}} ++{{%- endmacro %}} ++ ++{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}} ++{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}} + {{%- endmacro %}} + + {{# +diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template +index ca1b512bb3d..eac758e310b 100644 +--- a/shared/templates/sshd_lineinfile/bash.template ++++ b/shared/templates/sshd_lineinfile/bash.template +@@ -3,4 +3,26 @@ + # strategy = restrict + # complexity = low + # disruption = low ++{{%- if product in ("fedora", "rhel9") %}} ++{{%- set prefix_regex = "^\s*" -%}} ++{{%- set separator_regex = "\s\+" -%}} ++{{%- set line_regex = prefix_regex ~ PARAMETER ~ separator_regex %}} ++mkdir -p /etc/ssh/sshd_config.d ++touch /etc/ssh/sshd_config.d/hardening ++{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}} ++{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}} ++{{{ set_config_file( ++ path="/etc/ssh/sshd_config.d/hardening", ++ parameter=PARAMETER, ++ value=VALUE, ++ create=true, ++ insert_after="", ++ insert_before="^Match", ++ insensitive=true, ++ separator=" ", ++ separator_regex=separator_regex, ++ prefix_regex=prefix_regex) ++ }}} ++{{%- else %}} + {{{ bash_sshd_config_set(parameter=PARAMETER, value=VALUE) }}} ++{{%- endif %}} +diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template +index df63d542505..2cc38776eb2 100644 +--- a/shared/templates/sshd_lineinfile/oval.template ++++ b/shared/templates/sshd_lineinfile/oval.template +@@ -1,7 +1,61 @@ +-{{{ +-oval_sshd_config( +- parameter=PARAMETER, +- value=VALUE, +- missing_parameter_pass=MISSING_PARAMETER_PASS +-) +-}}} ++{{%- set config_path = "/etc/ssh/sshd_config" %}} ++{{%- set config_dir = "/etc/ssh/sshd_config.d" -%}} ++{{%- set products_with_distributed_configuration = ("rhel9", "fedora") -%}} ++{{%- set description = "Ensure '" ~ PARAMETER ~ "' is configured with value '" ~ VALUE ~ "' in " ~ config_path %}} ++{{%- if product in products_with_distributed_configuration %}} ++{{%- set description = description ~ " and in " ~ config_dir -%}} ++{{%- endif %}} ++{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} ++ ++ ++ ++ {{{ oval_metadata(description) }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{- oval_line_in_file_criterion(config_path, PARAMETER) | indent(8) }}} ++ {{%- if MISSING_PARAMETER_PASS %}} ++ ++ {{{- oval_line_in_file_criterion(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(10)}}} ++ {{%- if product in products_with_distributed_configuration %}} ++ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER, MISSING_PARAMETER_PASS) | indent(10) }}} ++ {{%- endif %}} ++ ++ {{%- endif %}} ++ {{%- if product in products_with_distributed_configuration %}} ++ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER) | indent(8) }}} ++ {{%- endif %}} ++ ++ ++ ++ ++ {{{ oval_line_in_file_test(config_path, PARAMETER) | indent (2) }}} ++ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, ** case_insensitivity_kwargs)| indent (2) }}} ++ {{{ oval_line_in_file_state(VALUE) | indent (2) }}} ++ ++ {{%- if MISSING_PARAMETER_PASS %}} ++ {{{ oval_line_in_file_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}} ++ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}} ++ {{%- endif %}} ++ ++ {{%- if product in products_with_distributed_configuration %}} ++ {{{ oval_line_in_directory_test(config_dir, PARAMETER) | indent (2) }}} ++ {{{ oval_line_in_directory_object(config_dir, parameter=PARAMETER, ** case_insensitivity_kwargs) | indent (2) }}} ++ {{{ oval_line_in_directory_state(VALUE) | indent (2) }}} ++ ++ {{%- if MISSING_PARAMETER_PASS %}} ++ {{{ oval_line_in_directory_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}} ++ {{{ oval_line_in_directory_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}} ++ {{%- endif %}} ++ {{%- endif %}} ++ + +From b0f86c11fa0fb45b32b53833b5d3565c7eb73cfe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 30 Apr 2021 11:52:22 +0200 +Subject: [PATCH 2/6] Improved the lineinfile template. + +It now escapes the text contents if parts of them could be incorrectly interpreted as regexes. +--- + shared/macros-bash.jinja | 2 +- + shared/templates/lineinfile/oval.template | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index b4518d83c19..d654a0e0e89 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -445,7 +445,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 + # prefix_regex: regular expression describing allowed leading characters at each line + #}} + {{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}} +- {{%- set line_regex = prefix_regex+parameter+separator_regex -%}} ++ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}} + {{%- set new_line = parameter+separator+value -%}} + if [ -e "{{{ path }}}" ] ; then + {{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}} +diff --git a/shared/templates/lineinfile/oval.template b/shared/templates/lineinfile/oval.template +index a38856d9177..644327b7d6e 100644 +--- a/shared/templates/lineinfile/oval.template ++++ b/shared/templates/lineinfile/oval.template +@@ -1,4 +1,4 @@ +-{{%- set regex = "^[\s]*" + TEXT + "[\s]*$" -%}} ++{{%- set regex = "^[\s]*" ~ (TEXT | escape_regex) ~ "[\s]*$" -%}} + + + {{{ oval_metadata("Check presence of " + TEXT + " in " + PATH) }}} + +From 6953f74d1ab168e7ccc3f28877621edff317fef2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 30 Apr 2021 11:54:12 +0200 +Subject: [PATCH 3/6] Introduced the sshd_use_directory_configuration rule. + +The rule makes sure that the sshd configuration is distributed in the +/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory +in another rules. +--- + .../bash/shared.sh | 15 ++++++++++ + .../oval/shared.xml | 29 +++++++++++++++++++ + .../sshd_use_directory_configuration/rule.yml | 26 +++++++++++++++++ + .../tests/match.fail.sh | 4 +++ + .../tests/simple.fail.sh | 3 ++ + .../tests/simple.pass.sh | 4 +++ + shared/references/cce-redhat-avail.txt | 1 - + shared/templates/extra_ovals.yml | 6 ++++ + 8 files changed, 87 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +new file mode 100644 +index 00000000000..2ff58ec373c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +@@ -0,0 +1,15 @@ ++# platform = multi_platform_all ++ ++{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}} ++if test -f {{{ target_file}}}; then ++ {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}} ++else ++ mkdir -p /etc/ssh/sshd_config.d ++ mv /etc/ssh/sshd_config {{{ target_file }}} ++cat > /etc/ssh/sshd_config << EOF ++# To modify the system-wide sshd configuration, create a *.conf file under ++# /etc/ssh/sshd_config.d/ which will be automatically included below ++ ++Include /etc/ssh/sshd_config.d/*.conf ++EOF ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml +new file mode 100644 +index 00000000000..0ffb429adff +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml +@@ -0,0 +1,29 @@ ++{{%- set config_path = "/etc/ssh/sshd_config" %}} ++ ++ ++ ++ {{{ oval_metadata("foo") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{- oval_line_in_file_criterion(config_path, "match", missing_parameter_pass=true) | indent(8) }}} ++ ++ ++ ++ ++ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true) | indent (2) }}} ++ {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+") | indent (2) }}} ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml +new file mode 100644 +index 00000000000..8c370036e61 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel9 ++ ++title: 'Distribute the SSH Server configuration to multiple files in a config directory.' ++ ++description: |- ++ Make sure to have the Include /etc/ssh/sshd_config.d/*.conf line in the /etc/ssh/sshd_config file. ++ Ideally, don't have any active configuration directives in that file, and distribute the service configuration ++ to several files in the /etc/ssh/sshd_config.d directory. ++ ++rationale: |- ++ This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the /etc/ssh/sshd_config.d config directory are effective, there has to be a rule that ensures this. ++ Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-87681-3 ++ ++ocil_clause: "you don't include other configuration files from the main configuration file" ++ ++ocil: |- ++ To determine whether the SSH server includes configuration files from the right directory, run the following command: ++
      $ sudo grep -i '^Include' /etc/ssh/sshd_config
      ++ If a line Include /etc/ssh/sshd_config.d/*.conf is returned, then the configuration file inclusion is set correctly. +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh +new file mode 100644 +index 00000000000..fa2ee0654f2 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++echo "Match something" >> /etc/ssh/sshd_config ++echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh +new file mode 100644 +index 00000000000..a6013ad7cfa +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++echo "include /etc/ssh/sshd_config.d/.*" > /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh +new file mode 100644 +index 00000000000..7a26f521415 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++# Handling of case-insensitivity of include is tricky ++echo "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 73d025484e6..40a2b9b5868 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1780,7 +1780,6 @@ CCE-87677-1 + CCE-87678-9 + CCE-87679-7 + CCE-87680-5 +-CCE-87681-3 + CCE-87682-1 + CCE-87683-9 + CCE-87684-7 +diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml +index 095d911ee1c..69062ebe541 100644 +--- a/shared/templates/extra_ovals.yml ++++ b/shared/templates/extra_ovals.yml +@@ -57,3 +57,9 @@ service_syslog_disabled: + vars: + servicename: syslog + packagename: rsyslog ++ ++sshd_includes_config_files: ++ name: lineinfile ++ vars: ++ path: /etc/ssh/sshd_config ++ text: "Include /etc/ssh/sshd_config.d/*.conf" + +From d7fcab7ad66e77bb7ccba507e3f024bc892c3864 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 11 May 2021 16:06:29 +0200 +Subject: [PATCH 4/6] Improved error reporting related to macros. + +--- + ssg/jinja.py | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/ssg/jinja.py b/ssg/jinja.py +index a46246ad0fb..28edd9a6dcd 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -153,16 +153,20 @@ def load_macros(substitutions_dict=None): + + add_python_functions(substitutions_dict) + try: +- update_substitutions_dict(JINJA_MACROS_BASE_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_HIGHLEVEL_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_ANSIBLE_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_BASH_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_OVAL_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_IGNITION_DEFINITIONS, substitutions_dict) +- update_substitutions_dict(JINJA_MACROS_KUBERNETES_DEFINITIONS, substitutions_dict) ++ filenames = [ ++ JINJA_MACROS_BASE_DEFINITIONS, ++ JINJA_MACROS_HIGHLEVEL_DEFINITIONS, ++ JINJA_MACROS_ANSIBLE_DEFINITIONS, ++ JINJA_MACROS_BASH_DEFINITIONS, ++ JINJA_MACROS_OVAL_DEFINITIONS, ++ JINJA_MACROS_IGNITION_DEFINITIONS, ++ JINJA_MACROS_KUBERNETES_DEFINITIONS, ++ ] ++ for filename in filenames: ++ update_substitutions_dict(filename, substitutions_dict) + except Exception as exc: +- msg = ("Error extracting macro definitions: {0}" +- .format(str(exc))) ++ msg = ("Error extracting macro definitions from '{1}': {0}" ++ .format(str(exc), filename)) + raise RuntimeError(msg) + + return substitutions_dict + +From df45c3fa295a2dc5a23cc347657964df6453cbae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 11 May 2021 16:44:50 +0200 +Subject: [PATCH 5/6] Removed devault values that are variables from Jinja + +Support in older jinja2 packages is not in a good shape. +--- + shared/macros-oval.jinja | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index d38db96d9e3..87e0fd7d87d 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -92,7 +92,8 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set suffix_id = "" -%}} + {{%- set prefix_text = "Check the" -%}} + {{%- if missing_parameter_pass %}} +@@ -113,7 +114,8 @@ + - parameter (String): The parameter to be checked in the configuration file. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + #}} +-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set suffix_id = "" -%}} + {{%- if missing_parameter_pass %}} + {{%- set check_existence = "none_exist" -%}} +@@ -144,7 +146,8 @@ + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + #}} +-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set suffix_id = "" -%}} + {{%- if multi_value -%}} + {{%- set group_regex = "([^#]*).*$" -%}} +@@ -196,7 +199,8 @@ + - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. + For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. + #}} +-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}} ++{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}} ++{{%- set id_stem = id_stem or rule_id -%}} + {{%- set regex = value -%}} + {{%- if quotes != "" %}} + {{%- if "\\1" in value > 0 %}} + +From a3ec49f75ac3059d7096985e08e10005db96330a Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Fri, 30 Jul 2021 17:25:25 +0200 +Subject: [PATCH 6/6] Don't remediate when it is inappropriate + +Don't remediate when the config file already contains the include +directive. +--- + .../sshd_use_directory_configuration/bash/shared.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +index 2ff58ec373c..9317b23992d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +@@ -1,12 +1,15 @@ + # platform = multi_platform_all + + {{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}} ++{{% set base_config = "/etc/ssh/sshd_config" -%}} + if test -f {{{ target_file}}}; then + {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}} ++elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then ++ {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}} + else + mkdir -p /etc/ssh/sshd_config.d +- mv /etc/ssh/sshd_config {{{ target_file }}} +-cat > /etc/ssh/sshd_config << EOF ++ mv {{{ base_config }}} {{{ target_file }}} ++cat > {{{ base_config }}} << EOF + # To modify the system-wide sshd configuration, create a *.conf file under + # /etc/ssh/sshd_config.d/ which will be automatically included below + diff --git a/SOURCES/scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch b/SOURCES/scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch new file mode 100644 index 0000000..ddfd484 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch @@ -0,0 +1,524 @@ +From bf018e9f8327b231b967db8ec74fabf01802b6a8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Aug 2021 09:45:04 +0200 +Subject: [PATCH 1/3] Add test for ansible files removed and readded + +Check if any playbook removes a file and then add it back again. +The file removal is based on the 'file' module with 'state: absent', and +the reintroduction of the file is based on 'lineinfile', 'blockinfile' +and 'copy' modules. +--- + CMakeLists.txt | 2 + + tests/CMakeLists.txt | 8 ++ + tests/test_ansible_file_removed_and_added.py | 97 ++++++++++++++++++++ + 3 files changed, 107 insertions(+) + create mode 100644 tests/test_ansible_file_removed_and_added.py + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 330b869d0f9..e41f2caa630 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -129,6 +129,7 @@ find_python_module(jinja2 REQUIRED) + find_python_module(pytest) + find_python_module(pytest_cov) + find_python_module(json2html) ++find_python_module(yamlpath) + + # sphinx documentation requirements + find_python_module(sphinx) +@@ -231,6 +232,7 @@ message(STATUS "python pytest module (optional): ${PY_PYTEST}") + message(STATUS "ansible-playbook module (optional): ${ANSIBLE_PLAYBOOK_EXECUTABLE}") + message(STATUS "ansible-lint module (optional): ${ANSIBLE_LINT_EXECUTABLE}") + message(STATUS "yamllint module (optional): ${YAMLLINT_EXECUTABLE}") ++message(STATUS "yamlpath module (optional): ${PY_YAMLPATH}") + message(STATUS "BATS framework (optional): ${BATS_EXECUTABLE}") + message(STATUS "python sphinx module (optional): ${PY_SPHINX}") + message(STATUS "python sphinxcontrib.autojinja module (optional): ${PY_SPHINXCONTRIB.AUTOJINJA}") +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 3e2d8a4ec31..739cc124035 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -121,3 +121,11 @@ add_test( + ) + set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick) + set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json") ++ ++if (PY_YAMLPATH) ++ add_test( ++ NAME "ansible-file-removed-and-added" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible" ++ ) ++ set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick) ++endif() +diff --git a/tests/test_ansible_file_removed_and_added.py b/tests/test_ansible_file_removed_and_added.py +new file mode 100644 +index 00000000000..23f6f888bda +--- /dev/null ++++ b/tests/test_ansible_file_removed_and_added.py +@@ -0,0 +1,97 @@ ++#!/usr/bin/python3 ++ ++import argparse ++import os ++import sys ++from types import SimpleNamespace ++from yamlpath import Processor ++from yamlpath import YAMLPath ++from yamlpath.common import Parsers ++from yamlpath.exceptions import YAMLPathException ++from yamlpath.wrappers import ConsolePrinter ++ ++ ++def parse_command_line_args(): ++ parser = argparse.ArgumentParser( ++ description="Checks if an Ansible Playbook removes a file and then adds it again.") ++ parser.add_argument("--ansible_dir", required=True, ++ help="Directory containing Ansible Playbooks") ++ args = parser.parse_args() ++ return args ++ ++ ++def check_playbook_file_removed_and_added(playbook_path): ++ playbook_ok = True ++ ++ yaml_parser = Parsers.get_yaml_editor() ++ ++ logging_args = SimpleNamespace(quiet=False, verbose=False, debug=False) ++ log = ConsolePrinter(logging_args) ++ ++ # Find every path removed by a file Task (also matches tasks within blocks) ++ files_absent_string = "tasks.**.file[state=absent][parent()].path" ++ files_absent_yamlpath = YAMLPath(files_absent_string) ++ path_editing_tasks_yamlpath = "" ++ ++ log.info("Info: Evaluating playbook '{}'".format(playbook_path)) ++ (yaml_data, doc_loaded) = Parsers.get_yaml_data(yaml_parser, log, playbook_path) ++ if not doc_loaded: ++ # There was an issue loading the file; an error message has already been ++ # printed via ConsolePrinter. ++ return False ++ ++ processor = Processor(log, yaml_data) ++ try: ++ for node in processor.get_nodes(files_absent_yamlpath, mustexist=False): ++ path = str(node) ++ # 'node' is a NodeCoords. ++ if path == 'None': ++ continue ++ elif "{{" in path: ++ # Identified path is a Jinja expression, unfortunately there is no easy way to get ++ # the actual path without making this test very complicated ++ continue ++ ++ # Check if this paths is used in any of the following ansible modules ++ ansible_modules = ["lineinfile", "blockinfile", "copy"] ++ path_editing_tasks_string = "tasks.**.[.=~/{modules}/][*='{path}'][parent()].name" ++ path_editing_tasks_yamlpath = YAMLPath(path_editing_tasks_string.format( ++ modules="|".join(ansible_modules), ++ path=node) ++ ) ++ for task in processor.get_nodes(path_editing_tasks_yamlpath, mustexist=False): ++ log.info("Error: Task '{}' manipulates a file that is removed by another task" ++ .format(task)) ++ playbook_ok = False ++ except YAMLPathException as ex: ++ no_file_msg = ("Cannot add PathSegmentTypes.TRAVERSE subreference to lists at 'None' " ++ "in '{}'.") ++ if str(ex) == no_file_msg.format(files_absent_string): ++ log.info("Info: Playbook {} has no 'file' tasks.".format(playbook_path)) ++ elif path_editing_tasks_yamlpath and str(ex) == no_file_msg.format( ++ path_editing_tasks_yamlpath): ++ log.info("Info: Playbook {} has no '{}' tasks.".format( ++ playbook_path, " ".join(ansible_modules))) ++ else: ++ log.info("Error: {}.".format(ex)) ++ ++ return playbook_ok ++ ++ ++def main(): ++ args = parse_command_line_args() ++ ++ all_playbooks_ok = True ++ for dir_item in os.listdir(args.ansible_dir): ++ if dir_item.endswith(".yml"): ++ playbook_path = os.path.join(args.ansible_dir, dir_item) ++ ++ if not check_playbook_file_removed_and_added(playbook_path): ++ all_playbooks_ok = False ++ ++ if not all_playbooks_ok: ++ sys.exit(1) ++ ++ ++if __name__ == "__main__": ++ main() + +From e6d727762ba446cad94f1e002fa7a7fef0f1a4cb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Aug 2021 09:48:14 +0200 +Subject: [PATCH 2/3] Unit tests the function for file removed and added + +Add a unit test for the core function that checks if any playbook +removes a file and then reintroduces it back. +--- + tests/CMakeLists.txt | 6 ++ + .../file_block_removed_and_added.yml | 69 +++++++++++++++++++ + .../file_not_removed_and_added.yml | 49 +++++++++++++ + .../file_removed_and_added.yml | 62 +++++++++++++++++ + .../file_removed_and_not_added.yml | 46 +++++++++++++ + ...t_check_playbook_file_removed_and_added.py | 39 +++++++++++ + 6 files changed, 271 insertions(+) + create mode 100644 tests/ansible_file_removed_and_added/file_block_removed_and_added.yml + create mode 100644 tests/ansible_file_removed_and_added/file_not_removed_and_added.yml + create mode 100644 tests/ansible_file_removed_and_added/file_removed_and_added.yml + create mode 100644 tests/ansible_file_removed_and_added/file_removed_and_not_added.yml + create mode 100644 tests/test_check_playbook_file_removed_and_added.py + +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 739cc124035..000a1b1385d 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -123,6 +123,12 @@ set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick) + set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json") + + if (PY_YAMLPATH) ++ if (PY_PYTEST) ++ add_test( ++ NAME "test-function-check_playbook_file_removed_and_added" ++ COMMAND "${PYTHON_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_CURRENT_SOURCE_DIR}/test_check_playbook_file_removed_and_added.py" ++ ) ++ endif() + add_test( + NAME "ansible-file-removed-and-added" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible" +diff --git a/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml +new file mode 100644 +index 00000000000..8863b333129 +--- /dev/null ++++ b/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml +@@ -0,0 +1,69 @@ ++--- ++ ++- hosts: all ++ vars: ++ var_system_crypto_policy: !!str FUTURE ++ var_sudo_logfile: !!str /var/log/sudo.log ++ ++ tasks: ++ - name: Modify the System Login Banner - add correct banner ++ lineinfile: ++ dest: /etc/issue ++ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$", ++ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", ++ "\n") | regex_replace("\\", "") | wordwrap() }}' ++ create: true ++ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] ++ tags: ++ - banner_etc_issue ++ - low_complexity ++ - medium_disruption ++ - medium_severity ++ - no_reboot_needed ++ - unknown_strategy ++ ++ - name: Test for existence /etc/issue ++ stat: ++ path: /etc/issue ++ register: file_exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - name: Ensure permission 0644 on /etc/issue ++ file: ++ path: /etc/issue ++ mode: '0644' ++ when: file_exists.stat is defined and file_exists.stat.exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - block: ++ ++ - name: Remove Rsh Trust Files ++ file: ++ path: /root/shosts.equiv ++ state: absent ++ ++ - name: Add line to /root/shosts.equiv ++ lineinfile: ++ dest: /root/shosts.equiv ++ line: 'test host' ++ create: true ++ tags: ++ - high_severity ++ - low_complexity ++ - low_disruption ++ - no_reboot_needed ++ - no_rsh_trust_files ++ - restrict_strategy ++ +diff --git a/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml +new file mode 100644 +index 00000000000..3d3e53b958f +--- /dev/null ++++ b/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml +@@ -0,0 +1,49 @@ ++--- ++ ++- hosts: all ++ vars: ++ var_system_crypto_policy: !!str FUTURE ++ var_sudo_logfile: !!str /var/log/sudo.log ++ ++ tasks: ++ - name: Modify the System Login Banner - add correct banner ++ lineinfile: ++ dest: /etc/issue ++ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$", ++ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", ++ "\n") | regex_replace("\\", "") | wordwrap() }}' ++ create: true ++ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] ++ tags: ++ - banner_etc_issue ++ - low_complexity ++ - medium_disruption ++ - medium_severity ++ - no_reboot_needed ++ - unknown_strategy ++ ++ - name: Test for existence /etc/issue ++ stat: ++ path: /etc/issue ++ register: file_exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - name: Ensure permission 0644 on /etc/issue ++ file: ++ path: /etc/issue ++ mode: '0644' ++ when: file_exists.stat is defined and file_exists.stat.exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ +diff --git a/tests/ansible_file_removed_and_added/file_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_removed_and_added.yml +new file mode 100644 +index 00000000000..a44c39a9db2 +--- /dev/null ++++ b/tests/ansible_file_removed_and_added/file_removed_and_added.yml +@@ -0,0 +1,62 @@ ++--- ++ ++- hosts: all ++ vars: ++ var_system_crypto_policy: !!str FUTURE ++ var_sudo_logfile: !!str /var/log/sudo.log ++ ++ tasks: ++ - name: Modify the System Login Banner - remove incorrect banner ++ file: ++ state: absent ++ path: /etc/issue ++ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] ++ tags: ++ - banner_etc_issue ++ - low_complexity ++ - medium_disruption ++ - medium_severity ++ - no_reboot_needed ++ - unknown_strategy ++ ++ - name: Modify the System Login Banner - add correct banner ++ lineinfile: ++ dest: /etc/issue ++ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$", ++ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", ++ "\n") | regex_replace("\\", "") | wordwrap() }}' ++ create: true ++ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] ++ tags: ++ - banner_etc_issue ++ - low_complexity ++ - medium_disruption ++ - medium_severity ++ - no_reboot_needed ++ - unknown_strategy ++ ++ - name: Test for existence /etc/issue ++ stat: ++ path: /etc/issue ++ register: file_exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - name: Ensure permission 0644 on /etc/issue ++ file: ++ path: /etc/issue ++ mode: '0644' ++ when: file_exists.stat is defined and file_exists.stat.exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ +diff --git a/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml b/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml +new file mode 100644 +index 00000000000..08cda7e5063 +--- /dev/null ++++ b/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml +@@ -0,0 +1,46 @@ ++--- ++ ++- hosts: all ++ vars: ++ var_system_crypto_policy: !!str FUTURE ++ var_sudo_logfile: !!str /var/log/sudo.log ++ ++ tasks: ++ - name: Modify the System Login Banner - remove incorrect banner ++ file: ++ state: absent ++ path: /etc/issue ++ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] ++ tags: ++ - banner_etc_issue ++ - low_complexity ++ - medium_disruption ++ - medium_severity ++ - no_reboot_needed ++ - unknown_strategy ++ ++ - name: Test for existence /etc/issue ++ stat: ++ path: /etc/issue ++ register: file_exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ ++ - name: Ensure permission 0644 on /etc/issue ++ file: ++ path: /etc/issue ++ mode: '0644' ++ when: file_exists.stat is defined and file_exists.stat.exists ++ tags: ++ - configure_strategy ++ - file_permissions_etc_issue ++ - low_complexity ++ - low_disruption ++ - medium_severity ++ - no_reboot_needed ++ +diff --git a/tests/test_check_playbook_file_removed_and_added.py b/tests/test_check_playbook_file_removed_and_added.py +new file mode 100644 +index 00000000000..181bb14ed46 +--- /dev/null ++++ b/tests/test_check_playbook_file_removed_and_added.py +@@ -0,0 +1,39 @@ ++import os ++import pytest ++ ++from .test_ansible_file_removed_and_added import check_playbook_file_removed_and_added ++ ++ ++def test_file_removed_and_added(): ++ playbook_path = os.path.join(os.path.dirname(__file__), ++ "ansible_file_removed_and_added", ++ "file_removed_and_added.yml") ++ assert not check_playbook_file_removed_and_added(playbook_path) ++ ++ ++def test_file_removed_and_not_added(): ++ playbook_path = os.path.join(os.path.dirname(__file__), ++ "ansible_file_removed_and_added", ++ "file_removed_and_not_added.yml") ++ assert check_playbook_file_removed_and_added(playbook_path) ++ ++ ++def test_file_not_removed_and_added(): ++ playbook_path = os.path.join(os.path.dirname(__file__), ++ "ansible_file_removed_and_added", ++ "file_not_removed_and_added.yml") ++ assert check_playbook_file_removed_and_added(playbook_path) ++ ++ ++def test_file_block_removed_and_added(): ++ playbook_path = os.path.join(os.path.dirname(__file__), ++ "ansible_file_removed_and_added", ++ "file_block_removed_and_added.yml") ++ assert not check_playbook_file_removed_and_added(playbook_path) ++ ++ ++def test_file_block_removed_and_not_added(): ++ playbook_path = os.path.join(os.path.dirname(__file__), ++ "ansible_file_removed_and_added", ++ "file_block_removed_and_not_added.yml") ++ assert check_playbook_file_removed_and_added(playbook_path) + +From 741ec823ac39341f8aa0649031b72d2ac36e8a64 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Aug 2021 10:36:47 +0200 +Subject: [PATCH 3/3] Mention Ansible static yamlpath test in docs + +--- + .../developer/02_building_complianceascode.md | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/docs/manual/developer/02_building_complianceascode.md b/docs/manual/developer/02_building_complianceascode.md +index d536df0a259..87469bf5f9b 100644 +--- a/docs/manual/developer/02_building_complianceascode.md ++++ b/docs/manual/developer/02_building_complianceascode.md +@@ -64,6 +64,20 @@ yum install yamllint ansible-lint + apt-get install yamllint ansible-lint + ``` + ++### Static Ansible Playbooks tests ++ ++Install `yamlpath` and `pytest` to run tests cases that analyse the Ansible ++Playbooks' yaml nodes. ++```bash ++pip3 install yamlpath ++ ++# Fedora/RHEL ++yum install python3-pytest ++ ++# Ubuntu/Debian ++apt-get install python-pytest ++``` ++ + ### Ninja (Faster Builds) + + Install the `ninja` build system if you want to use it instead of diff --git a/SOURCES/scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch b/SOURCES/scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch new file mode 100644 index 0000000..83e6804 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch @@ -0,0 +1,21 @@ +From 2452c1c69e6bda3b6130d8cf80c69c711c438fd0 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 7 Jul 2021 18:59:10 +0200 +Subject: [PATCH] Select two more rules in RHEL7 STIG. + +- sysctl_net_ipv4_conf_all_rp_filter +- sysctl_net_ipv4_conf_default_rp_filter +--- + products/rhel7/profiles/stig.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index 23635ffed91..78133180ecc 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -314,3 +314,5 @@ selections: + - package_MFEhiplsm_installed + - file_ownership_var_log_audit + - file_permissions_var_log_audit ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter diff --git a/SOURCES/scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch b/SOURCES/scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch new file mode 100644 index 0000000..ddc4e0d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch @@ -0,0 +1,3258 @@ +From 860ac44b87eb1f5c99cfa83c9b75ca2d1dab1bcd Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 12:08:22 +0200 +Subject: [PATCH] Update RHEL8 STIG files to V1R3. + +--- + products/rhel7/profiles/stig.profile | 6 +- + products/rhel8/profiles/stig.profile | 6 +- + products/rhel8/profiles/stig_gui.profile | 6 +- + ... => disa-stig-rhel7-v3r4-xccdf-manual.xml} | 295 ++- + ... => disa-stig-rhel8-v1r3-xccdf-manual.xml} | 1586 ++++++++++------- + .../data/profile_stability/rhel8/stig.profile | 2 +- + .../profile_stability/rhel8/stig_gui.profile | 2 +- + 7 files changed, 1068 insertions(+), 835 deletions(-) + rename shared/references/{disa-stig-rhel7-v3r3-xccdf-manual.xml => disa-stig-rhel7-v3r4-xccdf-manual.xml} (88%) + rename shared/references/{disa-stig-rhel8-v1r2-xccdf-manual.xml => disa-stig-rhel8-v1r3-xccdf-manual.xml} (78%) + +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index 78133180ecc..f5761c891f2 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -1,9 +1,9 @@ + documentation_complete: true + + metadata: +- version: V3R3 ++ version: V3R4 + SMEs: +- - carlosmmatos ++ - ggbecker + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux V3R3. ++ DISA STIG for Red Hat Enterprise Linux V3R4. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index ec0a3b17537..504e57f6c32 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1,9 +1,9 @@ + documentation_complete: true + + metadata: +- version: V1R2 ++ version: V1R3 + SMEs: +- - carlosmmatos ++ - ggbecker + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux 8 V1R2. ++ DISA STIG for Red Hat Enterprise Linux 8 V1R3. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile +index ff9a2833df8..0fdd755652e 100644 +--- a/products/rhel8/profiles/stig_gui.profile ++++ b/products/rhel8/profiles/stig_gui.profile +@@ -1,9 +1,9 @@ + documentation_complete: true + + metadata: +- version: V1R2 ++ version: V1R3 + SMEs: +- - carlosmmatos ++ - ggbecker + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2. ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r4-xccdf-manual.xml +similarity index 88% +rename from shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml +rename to shared/references/disa-stig-rhel7-v3r4-xccdf-manual.xml +index f0e75ac1da9..1130d365144 100644 +--- a/shared/references/disa-stig-rhel7-v3r3-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel7-v3r4-xccdf-manual.xml +@@ -1,4 +1,4 @@ +-acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 23 Apr 20213.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. + + Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: + +@@ -924,37 +924,22 @@ Check that the operating system requires authentication upon booting into single + + ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" + +-If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95717V-81005CCI-000213Configure the system to encrypt the boot password for root. ++If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95717V-81005CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. + +-Generate an encrypted grub2 password for root with the following command: +- +-Note: The hash generated is an example. ++Generate an encrypted grub2 password for the grub superusers account with the following command: + +-# grub2-setpassword ++$ sudo grub2-setpassword + Enter password: +-Confirm password: +- +-Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: +- +-set superusers="root" +-export superusersFor systems that use UEFI, this is Not Applicable. ++Confirm password:For systems that use UEFI, this is Not Applicable. + + For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. + +-Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: ++Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command: + +-# grep -iw grub2_password /boot/grub2/user.cfg ++$ sudo grep -iw grub2_password /boot/grub2/user.cfg + GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] + +-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. +- +-Verify that the "root" account is set as the "superusers": +- +-# grep -iw "superusers" /boot/grub2/grub.cfg +- set superusers="root" +- export superusers +- +-If "superusers" is not set to "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010490Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71963SV-86587CCI-000213Configure the system to encrypt the boot password for root. ++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010490Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71963SV-86587CCI-000213Configure the system to encrypt the boot password for root. + + Generate an encrypted grub2 password for root with the following command: + +@@ -988,37 +973,22 @@ password_pbkdf2 [superusers-account] [password-hash] + + If the root password entry does not begin with "password_pbkdf2", this is a finding. + +-If the "superusers-account" is not set to "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for root. ++If the "superusers-account" is not set to "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. + +-Generate an encrypted grub2 password for root with the following command: ++Generate an encrypted grub2 password for the grub superusers account with the following command: + +-Note: The hash generated is an example. +- +-# grub2-setpassword ++$ sudo grub2-setpassword + Enter password: +-Confirm password: +- +-Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: +- +-set superusers="root" +-export superusersFor systems that use BIOS, this is Not Applicable. ++Confirm password:For systems that use BIOS, this is Not Applicable. + + For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. + +-Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: ++Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: + +-# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg ++$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg + GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] + +-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. +- +-Verify that the "root" account is set as the "superusers": +- +-# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg +- set superusers="root" +- export superusers +- +-If "superusers" is not set to "root", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. ++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. + + Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: + +@@ -1073,9 +1043,9 @@ Check to see if the "ypserve" package is installed with the following command: + + # yum list installed ypserv + +-If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. ++If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + +-Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86595V-71971CCI-002235CCI-002165Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ++Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86595V-71971CCI-002165CCI-002235Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + + Use the following command to map a new user to the "sysadm_u" role: + +@@ -1099,7 +1069,7 @@ Use the following command to map a new user to the "user_u" role: + + Use the following command to map an existing user to the "user_u" role: + +-# semanage login -m -s user_u <username>Note: Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required. ++# semanage login -m -s user_u <username>Note: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + +@@ -1215,7 +1185,7 @@ If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented + + If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020100The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. + +-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86607V-71983CCI-001958CCI-000778CCI-000366Configure the operating system to disable the ability to use the USB Storage kernel module. ++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86607V-71983CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to use the USB Storage kernel module. + + Create a file under "/etc/modprobe.d" with the following command: + +@@ -1280,7 +1250,7 @@ blacklist dccp + + If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020110The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71985SV-86609CCI-001958CCI-000366CCI-000778Configure the operating system to disable the ability to automount devices. ++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71985SV-86609CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to automount devices. + + Turn off the automount service with the following commands: + +@@ -1307,15 +1277,15 @@ Check if yum is configured to remove unneeded packages with the following comman + # grep -i clean_requirements_on_remove /etc/yum.conf + clean_requirements_on_remove=1 + +-If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020210The Red Hat Enterprise Linux operating system must enable SELinux.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. ++If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020210The Red Hat Enterprise Linux operating system must enable SELinux.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +-This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71989SV-86613CCI-002696CCI-002165Configure the operating system to verify correct operation of all security functions. ++This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71989SV-86613CCI-002165CCI-002696Configure the operating system to verify correct operation of all security functions. + + Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line: + + SELINUX=enforcing + +-A reboot is required for the changes to take effect.Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required. ++A reboot is required for the changes to take effect.Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Verify the operating system verifies correct operation of all security functions. + +@@ -1324,7 +1294,7 @@ Check if "SELinux" is active and in "Enforcing" mode with the following command: + # getenforce + Enforcing + +-If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020220The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. ++If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020220The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + + This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71991SV-86615CCI-002165CCI-002696Configure the operating system to verify correct operation of all security functions. + +@@ -1332,7 +1302,7 @@ Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/co + + SELINUXTYPE=targeted + +-A reboot is required for the changes to take effect.Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required. ++A reboot is required for the changes to take effect.Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Verify the operating system verifies correct operation of all security functions. + +@@ -1410,23 +1380,21 @@ Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" + # grep -i umask /etc/login.defs + UMASK 077 + +-If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020250The Red Hat Enterprise Linux operating system must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. ++If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020250The Red Hat Enterprise Linux operating system must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +-Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86621V-71997CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported. ++Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available, while 7.9 is the final minor release overall.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86621V-71997CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported. + + Check the version of the operating system with the following command: + + # cat /etc/redhat-release + +-Red Hat Enterprise Linux Server release 7.4 (Maipo) ++Red Hat Enterprise Linux Server release 7.9 (Maipo) + +-Current End of Extended Update Support for RHEL 7.6 is 31 October 2020. ++Current End of Extended Update Support for RHEL 7.6 is 31 May 2021. + +-Current End of Extended Update Support for RHEL 7.7 is 31 August 2021. ++Current End of Extended Update Support for RHEL 7.7 is 30 August 2021. + +-Current End of Maintenance Support for RHEL 7.8 is 31 October 2020. +- +-Current End of Maintenance Support for RHEL 7.9 is 30 April 2021. ++Current End of Maintenance Support for RHEL 7.9 is 30 June 2024. + + If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). + +@@ -1560,11 +1528,11 @@ Check the home directory assignment for all local interactive users on the syste + + -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj + +-If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: ++If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: + + Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. + +-# chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. ++# chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. + + Check the home directory assignment for all local interactive users on the system with the following command: + +@@ -1574,26 +1542,26 @@ Check the home directory assignment for all local interactive users on the syste + + Check the user's primary group with the following command: + +-# grep users /etc/group ++# grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group + + users:x:250:smithj,jonesj,jacksons + +-If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020660The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.<VulnDiscussion>If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86647V-72023CCI-000366Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command: ++If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020660The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86647V-72023CCI-000366Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 7 with the "chown" command: + + Note: The example will be for the user smithj, who has a home directory of "/home/smithj". + +-# chown smithj /home/smithj/<file or directory>Verify all files and directories in a local interactive user's home directory are owned by the user. ++$ sudo chown smithj /home/smithj/<file or directory>Verify all files and directories in a local interactive user's home directory have a valid owner. + + Check the owner of all files and directories in a local interactive user's home directory with the following command: + + Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". + +-# ls -lLR /home/smithj ++$ sudo ls -lLR /home/smithj + -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 + -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 + -rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3 + +-If any files are found with an owner different than the home directory user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020670The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72025SV-86649CCI-000366Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command: ++If any files or directories are found without an owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020670The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72025SV-86649CCI-000366Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command: + + Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. + +@@ -1722,7 +1690,7 @@ Note: The example will be for a system that is configured to create users' home + + # grep <file> /home/*/.* + +-If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000368CCI-001813CCI-001814CCI-001812CCI-000318Run the following command to determine which package owns the device file: ++If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file: + + # rpm -qf <filename> + +@@ -1814,13 +1782,13 @@ Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options: + + tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) + +-If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. ++If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + + The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: + + # find [PART] -xdev -type d -perm -0002 -gid +999 -print + +-If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001813CCI-001814CCI-001812Remove the umask statement from all local interactive user's initialization files. ++If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files. + + If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077". + +@@ -1832,16 +1800,19 @@ Note: The example is for a system that is configured to create users home direct + + # grep -i umask /home/*/.* + +-If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021100The Red Hat Enterprise Linux operating system must have cron logging implemented.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72051SV-86675CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: ++If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021100The Red Hat Enterprise Linux operating system must have cron logging implemented.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72051SV-86675CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: + +-cron.* /var/log/cron.logVerify that "rsyslog" is configured to log cron events. ++cron.* /var/log/cron ++ ++The rsyslog daemon must be restarted for the changes to take effect: ++$ sudo systemctl restart rsyslog.serviceVerify that "rsyslog" is configured to log cron events. + + Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command: + + Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. + + # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf +-cron.* /var/log/cron.log ++cron.* /var/log/cron + + If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. + +@@ -1940,7 +1911,7 @@ UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data + + If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-021350The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86691V-72067CCI-001199CCI-000068CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. ++Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86691V-72067CCI-000068CCI-001199CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. + + To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. + +@@ -2097,7 +2068,7 @@ All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin + +-If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000368CCI-001812CCI-001814CCI-001813CCI-000318Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. ++If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. + + Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. + +@@ -2314,37 +2285,21 @@ network_failure_action = syslog + + If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system. + +-If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +- +-Check the system configuration to determine the partition the audit records are being written to: ++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. + +-# grep -iw log_file /etc/audit/auditd.conf +- +-Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): +- +-# df -h /var/log/audit/ +- +-Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. ++Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size. ++space_left = 25% ++Reload the auditd daemon to apply changes made to the "/etc/audit/auditd.conf" file.Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. + + Check the system configuration to determine the partition the audit records are being written to with the following command: + +-# grep -iw log_file /etc/audit/auditd.conf ++$ sudo grep -iw log_file /etc/audit/auditd.conf + log_file = /var/log/audit/audit.log + +-Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): +- +-# df -h /var/log/audit/ +-0.9G /var/log/audit +- +-If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: +- +-# du -sh <partition> +-1.8G /var +- + Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: + +-# grep -iw space_left /etc/audit/auditd.conf +-space_left = 225 ++$ sudo grep -iw space_left /etc/audit/auditd.conf ++space_left = 25% + + If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. + +@@ -2395,7 +2350,7 @@ Audit records can be generated from various components within the information sy + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000172CCI-000126Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules": + + -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod + +@@ -2993,7 +2948,7 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000172CCI-000126CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3031,7 +2986,7 @@ At a minimum, the organization must audit the full-text recording of privileged + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86773V-72149CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86773V-72149CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3071,7 +3026,7 @@ At a minimum, the organization must audit the full-text recording of privileged + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86777V-72153CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86777V-72153CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3111,7 +3066,7 @@ At a minimum, the organization must audit the full-text recording of privileged + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3131,7 +3086,7 @@ At a minimum, the organization must audit the full-text recording of privileged + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000135CCI-000172CCI-000130CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3169,7 +3124,7 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72163SV-86787CCI-000172CCI-000135CCI-000130CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72163SV-86787CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3215,7 +3170,7 @@ At a minimum, the organization must audit the full-text recording of privileged + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000172CCI-000135CCI-000130CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3341,7 +3296,7 @@ At a minimum, the organization must audit the full-text recording of privileged + + When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. + +-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3483,7 +3438,7 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72197SV-86821CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". ++Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86821V-72197CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". + + Add or update the following rule "/etc/audit/rules.d/audit.rules": + +@@ -3499,7 +3454,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: + + If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030871The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73165SV-87817CCI-001403CCI-000018CCI-000172CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87817V-73165CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3515,7 +3470,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: + + If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030872The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73167SV-87819CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87819V-73167CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". + + Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +@@ -3531,7 +3486,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: + + If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030873The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73171SV-87823CCI-001403CCI-000172CCI-000018CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87823V-73171CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. + + Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": + +@@ -3545,16 +3500,16 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: + + -w /etc/shadow -p wa -k identity + +-If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030874The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030874The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +-Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87825V-73173CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87825V-73173CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. + + Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": + + -w /etc/security/opasswd -p wa -k identity + + The audit daemon must be restarted for the changes to take effect: +-# systemctl restart auditdVerify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. ++# systemctl restart auditdVerify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. + + Check the auditing rules in "/etc/audit/audit.rules" with the following command: + +@@ -3686,7 +3641,7 @@ If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" file + + If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031010The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. + +-If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86835V-72211CCI-000318CCI-001812CCI-001814CCI-001813CCI-000368Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. ++If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86835V-72211CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. + + Check the configuration of "rsyslog" with the following command: + +@@ -3736,15 +3691,15 @@ public (default, active) + + Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. + +-If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. ++If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + + Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. + +-By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. ++The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. + +-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72221SV-86845CCI-000366CCI-000803CCI-000068Configure SSH to use FIPS 140-2 approved cryptographic algorithms. ++Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72221SV-86845CCI-000068CCI-000366CCI-000803Configure SSH to use FIPS 140-2 approved cryptographic algorithms. + + Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). + +@@ -3797,7 +3752,7 @@ By using this IS (which includes any device attached to this IS), you consent to + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72225SV-86849CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388CCI-000048CCI-000050Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72225SV-86849CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. + + Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: + +@@ -3978,7 +3933,7 @@ This requirement applies to both internal and external networks and all types of + + Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. + +-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86857V-72233CCI-002422CCI-002418CCI-002420CCI-002421Install SSH packages onto the host with the following commands: ++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86857V-72233CCI-002418CCI-002420CCI-002421CCI-002422Install SSH packages onto the host with the following commands: + + # yum install openssh-server.x86_64Check to see if sshd is installed with the following command: + +@@ -3993,7 +3948,7 @@ This requirement applies to both internal and external networks and all types of + + Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86859V-72235CCI-002421CCI-002422CCI-002418CCI-002420Configure the SSH service to automatically start after reboot with the following command: ++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86859V-72235CCI-002418CCI-002420CCI-002421CCI-002422Configure the SSH service to automatically start after reboot with the following command: + + # systemctl enable sshd.serviceVerify SSH is loaded and active with the following command: + +@@ -4115,7 +4070,7 @@ IgnoreUserKnownHosts yes + + If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>RHEL-07-040390The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. + +-Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86875V-72251CCI-000366CCI-000197Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: ++Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86875V-72251CCI-000197CCI-000366Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: + + Protocol 2 + +@@ -4133,9 +4088,9 @@ Check that the SSH daemon is configured to only use the SSHv2 protocol with the + Protocol 2 + #Protocol 1,2 + +-If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. ++If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. + +-By specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86877V-72253CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ++The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86877V-72253CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): + + MACs hmac-sha2-512,hmac-sha2-256 + +@@ -4177,7 +4132,7 @@ The following command will find all SSH private key files on the system and list + -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key + -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key + +-If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-001812CCI-001813CCI-000368CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": ++If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": + + GSSAPIAuthentication no + +@@ -4190,7 +4145,7 @@ Check that the SSH daemon does not permit GSSAPI authentication with the followi + # grep -i gssapiauth /etc/ssh/sshd_config + GSSAPIAuthentication no + +-If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040440The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.<VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72261SV-86885CCI-000368CCI-001813CCI-001812CCI-001814CCI-000318Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": ++If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040440The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.<VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72261SV-86885CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": + + KerberosAuthentication no + +@@ -4603,7 +4558,7 @@ Check to see if an FTP server has been installed with the following commands: + + vsftpd-3.0.2.el7.x86_64.rpm + +-If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040700The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.<VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86925V-72301CCI-000368CCI-001813CCI-001814CCI-001812CCI-000318Remove the TFTP package from the system with the following command: ++If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040700The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.<VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86925V-72301CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the TFTP package from the system with the following command: + + # yum remove tftp-serverVerify a TFTP server has not been installed on the system. + +@@ -4798,7 +4753,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us + + This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87041V-72417CCI-001953CCI-001954CCI-001948Configure the operating system to implement multifactor authentication by installing the required packages. ++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87041V-72417CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication by installing the required packages. + + Install the pam_pkcs11 package with the following command: + +@@ -4819,7 +4774,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us + + This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72427SV-87051CCI-001948CCI-001954CCI-001953Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). ++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72427SV-87051CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). + + Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). + +@@ -4839,7 +4794,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us + + This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). + +-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72433SV-87057CCI-001954CCI-001953CCI-001948Configure the operating system to do certificate status checking for PKI authentication. ++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72433SV-87057CCI-001948CCI-001953CCI-001954Configure the operating system to do certificate status checking for PKI authentication. + + Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".Verify the operating system implements certificate status checking for PKI authentication. + +@@ -4887,30 +4842,20 @@ Note: System configuration files (indicated by a "c" in the second column) are e + + # rpm -Va --noconfig | grep '^..5' + +-If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.<VulnDiscussion>Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263Install and enable the latest McAfee HIPS package or McAfee ENSL.Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. ++If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Procedure: +-Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed: +- +-# rpm -qa | grep MFEhiplsm +- +-Verify that the McAfee HIPS module is active on the system: ++Check that the following package has been installed: + +-# ps -ef | grep -i “hipclient” ++# rpm -qa | grep -i mcafeetp + +-If the MFEhiplsm package is not installed, check for another intrusion detection system: ++If the "mcafeetp" package is not installed, this is a finding. + +-# find / -name <daemon name> ++Verify that the daemon is running: + +-Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system. ++# ps -ef | grep -i mfetpd + +-Determine if the application is active on the system: +- +-# ps -ef | grep -i <daemon name> +- +-If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. +- +-If no host-based intrusion detection system is installed and running on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. ++If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. + + The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. + +@@ -4951,7 +4896,7 @@ Note: The example below is using the database "local" for the system, so the pat + If the command does not return a result, this is a finding. + SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020111The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. + +-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-100023SV-109127CCI-001958CCI-000778CCI-000366Configure the graphical user interface to disable the ability to automount devices. ++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-100023SV-109127CCI-000366CCI-000778CCI-001958Configure the graphical user interface to disable the ability to automount devices. + + Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. + +@@ -5001,19 +4946,19 @@ If the output does not match the example above, this is a finding. + + /org/gnome/desktop/media-handling/autorun-never + +-If the output does not match the example, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021031The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. +- +-The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: +- +-# find [PART] -xdev -type d -perm -0002 -uid +999 -print +- ++If the output does not match the example, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021031The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. ++ ++The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: ++ ++# find [PART] -xdev -type d -perm -0002 -uid +999 -print ++ + If there is output, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-07-910055The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. + + To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. + + Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. + +-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001314CCI-000162CCI-000163CCI-000164Change the mode of the audit log files with the following command: ++Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: + + # chmod 0600 [audit_file] + +@@ -5080,4 +5025,36 @@ Note: The "[value]" must be a number that is greater than or equal to "0". +\ No newline at end of file ++If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. ++ ++Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++ ++set superusers="[someuniquestringhere]" ++export superusers ++password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}For systems that use UEFI, this is Not Applicable. ++ ++For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. ++ ++Verify that a unique name is set as the "superusers" account: ++ ++# grep -iw "superusers" /boot/grub2/grub.cfg ++ set superusers="[someuniquestringhere]" ++ export superusers ++ ++If "superusers" is not set to a unique name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010492Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. ++ ++Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++ ++set superusers="[someuniquestringhere]" ++export superusers ++password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}For systems that use BIOS, this is Not Applicable. ++ ++For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. ++ ++Verify that a unique name is set as the "superusers" account: ++ ++$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg ++ set superusers="[someuniquestringhere]" ++ export superusers ++ ++If "superusers" is not set to a unique name or is missing a name, this is a finding. +\ No newline at end of file +diff --git a/shared/references/disa-stig-rhel8-v1r2-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r3-xccdf-manual.xml +similarity index 78% +rename from shared/references/disa-stig-rhel8-v1r2-xccdf-manual.xml +rename to shared/references/disa-stig-rhel8-v1r3-xccdf-manual.xml +index 1a6d105ee2b..abff501bb0e 100644 +--- a/shared/references/disa-stig-rhel8-v1r2-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel8-v1r3-xccdf-manual.xml +@@ -1,28 +1,30 @@ +-acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 23 Apr 20213.2.2.360791.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +-Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. ++Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. + + Check the version of the operating system with the following command: + + $ sudo cat /etc/redhat-release + +-Red Hat Enterprise Linux Server release 8.1 (Ootpa) ++Red Hat Enterprise Linux Server release 8.4 (Ootpa) + +-Current End of Maintenance Support for RHEL 8.1 is 30 April 2020. ++Current End of Extended Update Support for RHEL 8.1 is 30 November 2021. + +-Current End of Maintenance Support for RHEL 8.2 is 30 November 2020. ++Current End of Extended Update Support for RHEL 8.2 is 30 April 2022. + +-Current End of Maintenance Support for RHEL 8.3 is 30 April 2021. +- +-Current End of Maintenance Support for RHEL 8.4 is 30 November 2021. ++Current End of Extended Update Support for RHEL 8.4 is 30 April 2023. + + Current End of Maintenance Support for RHEL 8.5 is 30 April 2022. + +-Current End of Maintenance Support for RHEL 8.6 is 30 November 2022. ++Current End of Extended Update Support for RHEL 8.6 is 30 April 2024. + + Current End of Maintenance Support for RHEL 8.7 is 30 April 2023. + +-Current End of Maintenance Support for RHEL 8.8 is 30 November 2023. ++Current End of Extended Update Support for RHEL 8.8 is 30 April 2025. ++ ++Current End of Maintenance Support for RHEL 8.9 is 30 April 2024. ++ ++Current End of Maintenance Support for RHEL 8.10 is 31 May 2029. + + If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010010RHEL 8 vendor packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). + +@@ -168,7 +170,7 @@ View the file specified by the banner keyword to check that it matches the text + + If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. + +-If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010050RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. ++If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010050RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +@@ -188,38 +190,22 @@ By using this IS (which includes any device attached to this IS), you consent to + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. + +-Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: +- +-$ sudo touch /etc/dconf/db/local.d/01-banner-message +- + Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": + +-[org/gnome/login-screen] +- +-banner-message-enable=true +- + banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + + Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + + Run the following command to update the database: + +-$ sudo dconf updateVerify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. ++$ sudo dconf updateVerify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. + + Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + +-Check to see if the operating system displays a banner at the logon screen with the following command: +- +-$ sudo grep banner-message-enable /etc/dconf/db/local.d/* +- +-banner-message-enable=true +- +-If "banner-message-enable" is set to "false" or is missing, this is a finding. +- + Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command: + + $ sudo grep banner-message-text /etc/dconf/db/local.d/* +@@ -372,105 +358,71 @@ $ sudo cut -d: -f2 /etc/shadow + + $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ + +-Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-08-010130RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. ++Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-08-010130The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. + +-Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. ++Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. + +-Edit/modify the following line in the "/etc/pam.d/password-auth" and "etc/pam.d/system-auth" files and set "rounds" to a value no lower than "5000": ++Edit/modify the following line in the "/etc/pam.d/password-auth" file and set "rounds" to a value no lower than "5000": + +-password sufficient pam_unix.so sha512 rounds=5000Check that a minimum number of hash rounds is configured by running the following commands: ++password sufficient pam_unix.so sha512 rounds=5000Check that a minimum number of hash rounds is configured by running the following command: + + $ sudo grep rounds /etc/pam.d/password-auth + + password sufficient pam_unix.so sha512 rounds=5000 + +-$ sudo grep rounds /etc/pam.d/system-auth +- +-password sufficient pam_unix.so sha512 rounds=5000 +- +-If "rounds" has a value below "5000", or is commented out in either file, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superuser account. ++If "rounds" has a value below "5000", or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010140RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. + +-Generate an encrypted grub2 password for the grub superuser account with the following command: ++Generate an encrypted grub2 password for the grub superusers account with the following command: + + $ sudo grub2-setpassword + Enter password: +-Confirm password: +- +-Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: +- +-set superusers="[someuniquestringhere]" +-export superusersFor systems that use BIOS, this is Not Applicable. ++Confirm password:For systems that use BIOS, this is Not Applicable. + +-Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: ++Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: + + $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg + + GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] + +-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. +- +-Verify that a unique account name is set as the "superusers": +- +-$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg +-set superusers="[someuniquestringhere]" +-export superusers +- +-If "superusers" is not set to a unique name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010150RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superuser account. ++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010150RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. + +-Generate an encrypted grub2 password for the grub superuser account with the following command: ++Generate an encrypted grub2 password for the grub superusers account with the following command: + + $ sudo grub2-setpassword + Enter password: +-Confirm password: +- +-Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++Confirm password:For systems that use UEFI, this is Not Applicable. + +-set superusers="[someuniquestringhere]" +-export superusersFor systems that use UEFI, this is Not Applicable. +- +-Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: ++Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command: + + $ sudo grep -iw grub2_password /boot/grub2/user.cfg + + GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] + +-If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. +- +-Verify that a unique name is set as the "superusers": +- +-$ sudo grep -iw "superusers" /boot/grub2/grub.cfg +-set superusers="[someuniquestringhere]" +-export superusers +- +-If "superusers" is not set to a unique name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010151RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into emergency or rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file. ++If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010151RHEL 8 operating systems must require authentication upon booting into rescue mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file. + +-ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescueCheck to see if the system requires authentication for rescue or emergency mode with the following command: ++ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescueCheck to see if the system requires authentication for rescue mode with the following command: + + $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service + + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + +-If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010160The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. ++If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010160The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. ++FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. + +-Edit/modify the following line in the file "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to include the sha512 option for pam_unix.so: ++Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so: + +-password sufficient pam_unix.so sha512 rounds=5000 shadow remember=5Verify that pam_unix.so auth is configured to use sha512. ++password sufficient pam_unix.so sha512 rounds=5000Verify that the pam_unix.so module is configured to use sha512. + +-Check that pam_unix.so auth is configured to use sha512 in both /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following command: ++Check that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command: + + $ sudo grep password /etc/pam.d/password-auth | grep pam_unix + + password sufficient pam_unix.so sha512 rounds=5000 + +-$ sudo grep password /etc/pam.d/system-auth | grep pam_unix +- +-password sufficient pam_unix.so sha512 rounds=5000 +- +-If "sha512" is not an option in both outputs, or is commented out, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010161RHEL 8 must prevent system daemons from using Kerberos for authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. ++If "sha512" is missing, or is commented out, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010161RHEL 8 must prevent system daemons from using Kerberos for authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + + RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + +@@ -558,31 +510,30 @@ $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null + + drwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp + +-If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010200RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. ++If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010200RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + +-RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. The default setting for "ClientAliveCountMax" is "3". If "ClientAliveInterval is set to "15" and "ClientAliveCountMax" is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. ++RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +-Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity. ++Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity. + +-Modify or append the following lines in the "/etc/ssh/sshd_config" file to have a product value of "600" or less: ++Modify or append the following lines in the "/etc/ssh/sshd_config" file: + +-ClientAliveInterval 600 + ClientAliveCountMax 0 + + In order for the changes to take effect, the SSH daemon must be restarted. + +-$ sudo systemctl restart sshd.serviceVerify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. ++$ sudo systemctl restart sshd.serviceVerify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. + +-Check that the "ClientAliveInterval" variable is set to a value of "600" or less and that the "ClientAliveCountMax" is set to "0" by performing the following command: ++Check that the "ClientAliveCountMax" is set to "0" by performing the following command: + + $ sudo grep -i clientalive /etc/ssh/sshd_config + + ClientAliveInterval 600 + ClientAliveCountMax 0 + +-If "ClientAliveInterval" and "ClientAliveCountMax" do not exist, does not have a product value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>RHEL-08-010210The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. ++If "ClientAliveCountMax" do not exist, is not set to a value of "0" in "/etc/ssh/sshd_config", or is commented out, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>RHEL-08-010210The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + + The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001314Change the permissions of the file "/var/log/messages" to "0640" by running the following command: + +@@ -642,96 +593,47 @@ $ sudo stat -c "%G" /var/log + + root + +-If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010290The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. ++If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010290The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +-RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file. +- +-By specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections. +- +-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH daemon to use only MACs employing FIPS 140-2-approved algorithms with the following commands: +- +-$ sudo fips-mode-setup --enable +- +-Next, update the "/etc/crypto-policies/back-ends/openssh.config" +-and "/etc/crypto-policies/back-ends/opensshserver.config" files to include these MACs employing FIPS 140-2-approved algorithms: +- +-/etc/crypto-policies/back-ends/openssh.config:MACs hmac-sha2-512,hmac-sha2-256 +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256' +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256' +- +-A reboot is required for the changes to take effect.Verify the SSH daemon is configured to use only MACs employing FIPS 140-2-approved algorithms: +- +-Verify that system-wide crypto policies are in effect: +- +-$ sudo grep -i crypto_policy /etc/sysconfig/sshd ++RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +-# crypto_policy= +- +-If the "crypto_policy" is uncommented, this is a finding. +- +-Verify which system-wide crypto policy is in use: ++The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +-$ sudo update-crypto-policies --show ++Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: + +-FIPS ++-oMACS=hmac-sha2-512,hmac-sha2-256 + +-Check that the MACs in the back-end configurations are FIPS 140-2-approved algorithms with the following command: ++A reboot is required for the changes to take effect.Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command: + +-$ sudo grep -i macs /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config ++$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config + +-/etc/crypto-policies/back-ends/openssh.config:MACs hmac-sha2-512,hmac-sha2-256 +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256' +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256' ++-oMACS=hmac-sha2-512,hmac-sha2-256 + +-If the MAC entries in the "openssh.config" and "opensshserver.config" files have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, if they are missing, or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010291The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. ++If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, they are missing, or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010291The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + +-RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file. +- +-By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. +- +-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH daemon to use only ciphers employing FIPS 140-2-approved algorithms with the following command: ++RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. + +-$ sudo fips-mode-setup --enable +- +-Next, update the "/etc/crypto-policies/back-ends/openssh.config" and "/etc/crypto-policies/back-ends/opensshserver.config" files to include these ciphers employing FIPS 140-2-approved algorithms: +- +-/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr' +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr' +- +-A reboot is required for the changes to take effect.Verify the SSH daemon is configured to use only ciphers employing FIPS 140-2-approved algorithms: +- +-Verify that system-wide crypto policies are in effect: +- +-$ sudo grep -i crypto_policy /etc/sysconfig/sshd ++The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. + +-# crypto_policy= +- +-If the "crypto_policy" is uncommented, this is a finding. +- +-Verify which system-wide crypto policy is in use: ++Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: + +-$ sudo update-crypto-policies --show +- +-FIPS ++-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr + +-Check that the ciphers in the back-end configurations are FIPS 140-2-approved algorithms with the following command: ++A reboot is required for the changes to take effect.Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command: + +-$ sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/opensshserver.config ++$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config + +-/etc/crypto-policies/back-ends/openssh.config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr' +-/etc/crypto-policies/back-ends/opensshserver.config:CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr' ++CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr' + +-If the cipher entries in the "openssh.config" and "opensshserver.config" files have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, if they are missing, or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010292RHEL 8 must ensure the SSH server uses strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. ++If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010292RHEL 8 must ensure the SSH server uses strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + + The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system SSH server to use strong entropy. + +@@ -1116,7 +1018,7 @@ Check that the "/etc/sudoers" file has no occurrences of "!authenticate" by runn + + $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/* + +-If any occurrences of "!authenticate" return from the command, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-08-010390RHEL 8 must have the packages required for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. ++If any occurrences of "!authenticate" return from the command, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-08-010390RHEL 8 must have the packages required for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + + Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +@@ -1124,16 +1026,15 @@ A privileged account is defined as an information system account with authorizat + + Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +-This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001948Configure the operating system to implement multifactor authentication by installing the required packages with the following command: ++This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001948Configure the operating system to implement multifactor authentication by installing the required package with the following command: + +-$ sudo yum install esc openssl-pkcs11Verify the operating system has the packages required for multifactor authentication installed with the following commands: ++$ sudo yum install openssl-pkcs11Verify the operating system has the packages required for multifactor authentication installed with the following commands: + +-$ sudo yum list installed esc openssl-pkcs11 ++$ sudo yum list installed openssl-pkcs11 + +-esc.x86_64 1.1.2-7.el8 @AppStream + openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda + +-If the "esc" and "openssl-pkcs11" packages are not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-08-010400RHEL 8 must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. ++If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-08-010400RHEL 8 must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + + Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + +@@ -1149,15 +1050,15 @@ certificate_verification = ocsp_dgst=sha1 + + The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: + +-$ sudo systemctl restart sssd.serviceVerify the operating system implements certificate status checking for multifactor authentication. ++$ sudo systemctl restart sssd.serviceVerify the operating system implements certificate status checking for multifactor authentication. + + Check to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command: + +-$ sudo grep certificate_verification /etc/sssd/sssd.conf | grep -v "^#" ++$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#" + + certificate_verification = ocsp_dgst=sha1 + +-If the certificate_verification line is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.SRG-OS-000376-GPOS-00161<GroupDescription></GroupDescription>RHEL-08-010410RHEL 8 must accept Personal Identity Verification (PIV) credentials.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. ++If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.SRG-OS-000376-GPOS-00161<GroupDescription></GroupDescription>RHEL-08-010410RHEL 8 must accept Personal Identity Verification (PIV) credentials.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + + The DoD has mandated the use of the Common Access Card (CAC) to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001953Configure RHEL 8 to accept PIV credentials. + +@@ -1218,17 +1119,17 @@ $ sudo grep page_poison /etc/default/grub + + GRUB_CMDLINE_LINUX="page_poison=1" + +-If "page_poison" is not set to "1", is missing or commented out, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>RHEL-08-010422RHEL 8 must disable virtual syscalls.<VulnDiscussion>Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. ++If "page_poison" is not set to "1", is missing or commented out, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>RHEL-08-010422RHEL 8 must disable virtual syscalls.<VulnDiscussion>Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual Syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. + +-Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. ++Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual syscalls will need enabled so the components function properly. + +-Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001084Configure RHEL 8 to disable vsyscalls with the following commands: ++Satisfies: SRG-OS-000134-GPOS-00068, SRG-OS-000433-GPOS-00192</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001084Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command: + + $ sudo grubby --update-kernel=ALL --args="vsyscall=none" + + Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: + +-GRUB_CMDLINE_LINUX="vsyscall=none"Verify that GRUB 2 is configured to disable vsyscalls with the following commands: ++GRUB_CMDLINE_LINUX="vsyscall=none"Verify that GRUB 2 is configured to disable vsyscalls with the following commands: + + Check that the current GRUB 2 configuration disables vsyscalls: + +@@ -1244,7 +1145,7 @@ $ sudo grep vsyscall /etc/default/grub + + GRUB_CMDLINE_LINUX="vsyscall=none" + +-If "vsyscall" is not set to "none", is missing or commented out, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>RHEL-08-010423RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. ++If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>RHEL-08-010423RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + + Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. + +@@ -1385,13 +1286,13 @@ $ sudo ls -l /etc/ssh/*.pub + + If any key.pub file has a mode more permissive than "0644", this is a finding. + +-Note: SSH public key files may be found in other directories on the system depending on the installation.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010490The RHEL 8 SSH private host key files must have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: ++Note: SSH public key files may be found in other directories on the system depending on the installation.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010490The RHEL 8 SSH private host key files must have mode 0600 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command: + +-$ sudo chmod 0640 /etc/ssh/ssh_host*key ++$ sudo chmod 0600 /etc/ssh/ssh_host*key + + The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: + +-$ sudo systemctl restart sshd.serviceVerify the SSH private host key files have mode "0640" or less permissive with the following command: ++$ sudo systemctl restart sshd.serviceVerify the SSH private host key files have mode "0600" or less permissive with the following command: + + $ sudo ls -l /etc/ssh/ssh_host*key + +@@ -1399,7 +1300,7 @@ $ sudo ls -l /etc/ssh/ssh_host*key + -rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key + -rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key + +-If any private host key file has a mode more permissive than "0640", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010500The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": ++If any private host key file has a mode more permissive than "0600", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010500The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": + + StrictModes yes + +@@ -1411,17 +1312,17 @@ $ sudo grep -i strictmodes /etc/ssh/sshd_config + + StrictModes yes + +-If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010510The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "no": ++If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010510The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": + + Compression no + +-The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs compression after a user successfully authenticates with the following command: ++The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs compression after a user successfully authenticates with the following command: + + $ sudo grep -i compression /etc/ssh/sshd_config + +-Compression no ++Compression delayed + +-If the "Compression" keyword is set to "yes", "delayed", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010520The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the SSH daemon to not allow authentication using known host’s authentication. ++If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010520The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the SSH daemon to not allow authentication using known host’s authentication. + + Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": + +@@ -1435,23 +1336,21 @@ $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config + + IgnoreUserKnownHosts yes + +-If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010521The RHEL 8 SSH daemon must not allow unused methods of authentication.<VulnDiscussion>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the SSH daemon to not allow authentication using unused methods of authentication. ++If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010521The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.<VulnDiscussion>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the SSH daemon to not allow Kerberos authentication. + + Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": + + KerberosAuthentication no +-GSSAPIAuthentication no + + The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: + +-$ sudo systemctl restart sshd.serviceVerify the SSH daemon does not allow authentication using unused methods of authentication with the following command: ++$ sudo systemctl restart sshd.serviceVerify the SSH daemon does not allow Kerberos authentication with the following command: + +-$ sudo grep -i "KerberosAuthentication\|GSSAPIAuthentication" /etc/ssh/sshd_config ++$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config + + KerberosAuthentication no +-GSSAPIAuthentication no + +-If the values are returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010540RHEL 8 must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system/partition has been created for "/var". ++If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010540RHEL 8 must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system/partition has been created for "/var". + + Check that a file system/partition has been created for "/var" with the following command: + +@@ -1548,7 +1447,9 @@ $ sudo more /etc/fstab + + UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs rw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0 + +-If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010571RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.Verify the /boot directory is mounted with the "nosuid" option with the following command: ++If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010571RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.For systems that use UEFI, this is Not Applicable. ++ ++Verify the /boot directory is mounted with the "nosuid" option with the following command: + + $ sudo mount | grep '\s/boot\s' + +@@ -1754,13 +1655,13 @@ $ sudo grep -i path /home/*/.* + /home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin + /home/[localinteractiveuser]/.bash_profile:export PATH + +-If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010700All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. ++If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010700All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. + + The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 1000. Run it once for each local partition [PART]: + + $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print + +-If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010710All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. ++If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010710All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. + + The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366All directories in local partitions which are world-writable must be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this must be investigated. Following this, the directories must be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]: + +@@ -1791,11 +1692,11 @@ $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /et + + drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj + +-If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010740All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command: ++If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010740All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command: + + Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. + +-$ sudo chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command: ++$ sudo chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command: + + Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. + +@@ -1805,7 +1706,7 @@ drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj + + Check the user's primary group with the following command: + +-$ sudo grep admin /etc/group ++$ sudo grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group + + admin:x:250:smithj,jonesj,jacksons + +@@ -1977,38 +1878,17 @@ account required pam_faillock.so + + If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module, or is missing from this line, this is a finding. + +-If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020011RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to lock an account when three unsuccessful logon attempts occur. +- +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: +- +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so +- +-Add/Modify the "/etc/security/faillock.conf" file to match the following line: +- +-deny = 3Check that the system locks an account after three unsuccessful logon attempts with the following commands: ++If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020011RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to lock an account when three unsuccessful logon attempts occur. + +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth ++Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. ++deny = 3Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. + + Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts: + +@@ -2052,38 +1932,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 + auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 + account required pam_faillock.so + +-If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020013RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes. +- +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: +- +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so +- +-Add/Modify the "/etc/security/faillock.conf" file to match the following line: +- +-fail_interval = 900Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands: ++If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020013RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes. + +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth ++Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. ++fail_interval = 900Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. + + Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes: + +@@ -2091,7 +1950,7 @@ $ sudo grep 'fail_interval =' /etc/security/faillock.conf + + fail_interval = 900 + +-If the "fail_interval" option is not set to "900" or less (but not "0"), is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020014RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. ++If the "fail_interval" option is not set to "900" or more, is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020014RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. + +@@ -2127,38 +1986,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 + auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 + account required pam_faillock.so + +-If the "unlock_time" option is not set to "0" on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020015RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. +- +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: +- +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so +- +-Add/Modify the "/etc/security/faillock.conf" file to match the following line: +- +-unlock_time = 0Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes until released by an administrator with the following commands: ++If the "unlock_time" option is not set to "0" on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020015RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. + +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth ++Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. ++unlock_time = 0Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. + + Verify the "/etc/security/faillock.conf" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts: + +@@ -2204,45 +2042,24 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 + auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 + account required pam_faillock.so + +-If the "dir" option is not set to a non-default documented tally log directory on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020017RHEL 8 must ensure account lockouts persist.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system maintain the contents of the faillock directory after a reboot. ++If the "dir" option is not set to a non-default documented tally log directory on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020017RHEL 8 must ensure account lockouts persist.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. ++ ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system maintain the contents of the faillock directory after a reboot. + + Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-dir = /var/log/faillockCheck that the faillock directory contents persist after a reboot with the following commands: +- +-Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable. +- +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: +- +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth +- +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth +- +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. +- +-Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: +- +-$ sudo grep 'dir =' /etc/security/faillock.conf +- +-dir = /var/log/faillock +- ++dir = /var/log/faillockNote: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable. ++ ++Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: ++ ++$ sudo grep 'dir =' /etc/security/faillock.conf ++ ++dir = /var/log/faillock ++ + If the "dir" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020018RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + + RHEL 8 can utilize the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. +@@ -2279,38 +2096,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 + auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 + account required pam_faillock.so + +-If the "silent" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020019RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to prevent informative messages from being presented at logon attempts. +- +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: +- +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so +- +-Add/Modify the "/etc/security/faillock.conf" file to match the following line: +- +-silentCheck that the system prevents informative messages from being presented to the user pertaining to logon information with the following commands: ++If the "silent" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020019RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to prevent informative messages from being presented at logon attempts. + +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth ++Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. ++silentNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. + + Verify the "/etc/security/faillock.conf" file is configured to prevent informative messages from being presented at logon attempts: + +@@ -2356,38 +2152,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 + auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 + account required pam_faillock.so + +-If the "audit" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020021RHEL 8 must log user name information when unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to log user name information when unsuccessful logon attempts occur. +- +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: +- +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so +- +-Add/Modify the "/etc/security/faillock.conf" file to match the following line: +- +-auditCheck that the system logs user name information when unsuccessful logon attempts occur with the following commands: ++If the "audit" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020021RHEL 8 must log user name information when unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to log user name information when unsuccessful logon attempts occur. + +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth ++Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. ++auditNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. + + Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: + +@@ -2433,38 +2208,17 @@ auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 + auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 + account required pam_faillock.so + +-If the "even_deny_root" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020023RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +- +-In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. +- +-From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. +- +-Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. +- +-Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: +- +-auth required pam_faillock.so preauth +-auth required pam_faillock.so authfail +-account required pam_faillock.so +- +-Add/Modify the "/etc/security/faillock.conf" file to match the following line: +- +-even_deny_rootCheck that the system includes the root account when locking an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands: ++If the "even_deny_root" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020023RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + +-Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. + +-Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files: ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. + +-$ sudo grep pam_faillock.so /etc/pam.d/system-auth /etc/pam.d/password-auth ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. + +-/etc/pam.d/system-auth:auth required pam_faillock.so preauth +-/etc/pam.d/system-auth:auth required pam_faillock.so authfail +-/etc/pam.d/system-auth:account required pam_faillock.so +-/etc/pam.d/password-auth:auth required pam_faillock.so preauth +-/etc/pam.d/password-auth:auth required pam_faillock.so authfail +-/etc/pam.d/password-auth:account required pam_faillock.so preauth ++Add/Modify the "/etc/security/faillock.conf" file to match the following line: + +-If the pam_failllock.so module is not present in the "/etc/pam.d/system-auth" and " /etc/pam.d/password-auth" files, this is a finding. ++even_deny_rootNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. + + Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: + +@@ -2513,31 +2267,17 @@ true + + If the setting is "false", this is a finding. + +-Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020040RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. ++Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020040RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + + Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. + +-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to enable a user to initiate a session lock via tmux. +- +-Install the "tmux" package, if it is not already installed, by running the following command: +- +-$ sudo yum install tmux +- +-Once installed, create a global configuration file "/etc/tmux.conf" and add the following line: +- +-set -g lock-command vlockVerify the operating system enables the user to initiate a session lock on command. +- +-Verify RHEL 8 has the "tmux" package installed, by running the following command: ++Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to enable a user to initiate a session lock via tmux. + +-$ sudo yum list installed tmux +- +-tmux.x86.64 2.7-1.el8 @repository ++Create a global configuration file "/etc/tmux.conf" and add the following line: + +-If "tmux" is not installed, this is a finding. +- +-Next verify that the lock-command is set in the global settings of tmux with the following command: ++set -g lock-command vlockVerify the operating system enables the user to initiate a session lock with the following command: + + $ sudo grep -i lock-command /etc/tmux.conf + +@@ -2635,7 +2375,7 @@ $ sudo grep -i lock-after-time /etc/tmux.conf + + set -g lock-after-time 900 + +-If "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020080RHEL 8 must prevent a user from overriding graphical user interface settings.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++If "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020080RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + + The session lock is implemented at the point where session activity can be determined and/or controlled. + +@@ -2643,7 +2383,7 @@ Implementing session settings will have little value if a user is able to manipu + + Locking these settings from non-privileged users is crucial to maintaining a protected baseline. + +-Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. ++Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. + + Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: + +@@ -2651,16 +2391,9 @@ Note: The example below is using the database "local" for the system, so if the + + $ sudo touch /etc/dconf/db/local.d/locks/session + +-Add the following settings to prevent non-privileged users from modifying them: ++Add the following setting to prevent non-privileged users from modifying it: + +-/org/gnome/desktop/session/idle-delay +-/org/gnome/desktop/screensaver/lock-enabled +-/org/gnome/desktop/screensaver/lock-delay +-/org/gnome/settings-daemon/plugins/media-keys/logout +-/org/gnome/login-screen/disable-user-list +-/org/gnome/login-screen/banner-message-text +-/org/gnome/login-screen/banner-message-enable +-/org/gnome/desktop/lockdown/disable-lock-screenVerify the operating system prevents a user from overriding graphical user interfaces. ++/org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding settings for graphical user interfaces. + + Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + +@@ -2674,16 +2407,9 @@ Check that graphical settings are locked from non-privileged user modification w + + Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. + +-$ sudo grep -i 'idle\|lock\|log\|user\|banner' /etc/dconf/db/local.d/locks/* ++$ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/* + +-/org/gnome/desktop/session/idle-delay +-/org/gnome/desktop/screensaver/lock-enabled + /org/gnome/desktop/screensaver/lock-delay +-/org/gnome/settings-daemon/plugins/media-keys/logout +-/org/gnome/login-screen/disable-user-list +-/org/gnome/login-screen/banner-message-text +-/org/gnome/login-screen/banner-message-enable +-/org/gnome/desktop/lockdown/disable-lock-screen + + If the command does not return at least the example result, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>RHEL-08-020090RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. + +@@ -3089,27 +2815,19 @@ gopher:x:13:30:gopher:/var/gopher:/sbin/nologin + + Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. + +-If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020330RHEL 8 must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" and add or edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords. ++If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020330RHEL 8 must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords. + + PermitEmptyPasswords no + + The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: + +-$ sudo systemctl restart sshd.service +- +-Note: Manual changes to the listed files may be overwritten by the "authselect" program.To verify that null passwords cannot be used, run the following commands: +- +-$ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth +- +-If this produces any output, it may be possible to log on with accounts with empty passwords. ++$ sudo systemctl restart sshd.serviceTo verify that null passwords cannot be used, run the following command: + + $ sudo grep -i permitemptypasswords /etc/ssh/sshd_config + + PermitEmptyPasswords no + +-If "PermitEmptyPasswords" is set to "yes", or If null passwords can be used, this is a finding. +- +-Note: Manual changes to the listed files may be overwritten by the "authselect" program.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020340RHEL 8 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". ++If "PermitEmptyPasswords" is set to "yes", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020340RHEL 8 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". + + Add the following line to the top of "/etc/pam.d/postlogin": + +@@ -3198,9 +2916,12 @@ $ sudo grep execve /etc/audit/audit.rules + -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv + -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv + +-If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-030010Cron logging must be implemented in RHEL 8.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: ++If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-030010Cron logging must be implemented in RHEL 8.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: + +-cron.* /var/log/cron.logVerify that "rsyslog" is configured to log cron events with the following command: ++cron.* /var/log/cron ++ ++The rsyslog daemon must be restarted for the changes to take effect: ++$ sudo systemctl restart rsyslog.serviceVerify that "rsyslog" is configured to log cron events with the following command: + + Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. + +@@ -3208,7 +2929,7 @@ $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf + + /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages + /etc/rsyslog.conf:# Log cron stuff +-/etc/rsyslog.conf:cron.* /var/log/cron.log ++/etc/rsyslog.conf:cron.* /var/log/cron + + If the command does not return a response, check for cron logging all facilities with the following command. + +@@ -3264,15 +2985,15 @@ $ sudo grep disk_error_action /etc/audit/auditd.conf + + disk_error_action = HALT + +-If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>RHEL-08-030050The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.<VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. ++If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>RHEL-08-030050The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.<VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. + + When availability is an overriding concern, other approved actions in response to an audit failure are as follows: + + 1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. + +-2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000140Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs": ++2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000140Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs": + +-max_log_file_action=syslogVerify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. ++max_log_file_action = syslogVerify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. + + Check which action RHEL 8 takes when the audit storage volume is full with the following command: + +@@ -3620,7 +3341,7 @@ $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules + + -w /etc/sudoers.d/ -p wa -k identity + +-If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030180RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030180The RHEL 8 audit package must be installed.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + + Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + +@@ -3630,9 +3351,9 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO + + Install the audit service (if the audit service is not already installed) with the following command: + +-$ sudo yum install auditVerify the audit service is configured to produce audit records. ++$ sudo yum install auditVerify the audit service is configured to produce audit records. + +-Check that the audit service is installed properly with the following command: ++Check that the audit service is installed with the following command: + + $ sudo yum list installed audit + +@@ -4038,17 +3759,17 @@ $ sudo grep -w "unix_chkpwd" /etc/audit/audit.rules + + -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update + +-If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030320Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030320Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. + + When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. + +-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" by adding or updating the following rule in the "/etc/audit/audit.rules" file: ++Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: + + -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh + +-The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++The audit daemon must be restarted for the changes to take effect.Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" by performing the following command to check the file system rules in "/etc/audit/audit.rules": + + $ sudo grep ssh-keysign /etc/audit/audit.rules + +@@ -4744,7 +4465,7 @@ $ sudo grep audit /etc/default/grub + + GRUB_CMDLINE_LINUX="audit=1" + +-If "audit" is not set to "1", is missing or commented out, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030602RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++If "audit" is not set to "1", is missing or commented out, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030602RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +@@ -4756,13 +4477,13 @@ $ sudo grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + + Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: + +-GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands: ++GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands: + + $ sudo grub2-editenv - list | grep audit + + kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 + +-If the "audit_backlog_limit" entry does not equal "8192", is missing, or the line is commented out, this is a finding. ++If the "audit_backlog_limit" entry does not equal "8192" or greater, is missing, or the line is commented out, this is a finding. + + Check the audit_backlog_limit is set to persist in kernel updates: + +@@ -4770,7 +4491,7 @@ $ sudo grep audit /etc/default/grub + + GRUB_CMDLINE_LINUX="audit_backlog_limit=8192" + +-If "audit_backlog_limit" is not set to "8192", is missing or commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030603RHEL 8 must enable Linux audit logging for the USBGuard daemon.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++If "audit_backlog_limit" is not set to "8192" or greater, is missing or commented out, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030603RHEL 8 must enable Linux audit logging for the USBGuard daemon.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. + +@@ -4788,9 +4509,9 @@ DoD has defined the list of events for which RHEL 8 will provide an audit record + + 4) All kernel module load, unload, and restart actions. + +-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to enable Linux audit logging of the USBGuad daemon by adding or modifying the following line in "/etc/usbguard/usbguard-daemon.conf": ++Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by adding or modifying the following line in "/etc/usbguard/usbguard-daemon.conf": + +-AuditBackend=LinuxAuditVerify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: ++AuditBackend=LinuxAuditVerify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: + + Note: If the USBGuard daemon is not installed and enabled, this requirement is not applicable. + +@@ -4834,7 +4555,7 @@ $ sudo stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrac + 755 /sbin/rsyslogd + 755 /sbin/augenrules + +-If any of the audit tools has a mode more permissive than "0755", this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>RHEL-08-030630RHEL 8 audit tools must be owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. ++If any of the audit tools has a mode more permissive than "0755", this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>RHEL-08-030630RHEL 8 audit tools must be owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + + RHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. + +@@ -4844,11 +4565,11 @@ Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPO + + $ sudo chown root [audit_tool] + +-Replace "[audit_tool]" with each audit tool not owned by "root".Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. ++Replace "[audit_tool]" with each audit tool not owned by "root".Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. + + Check the owner of each audit tool by running the following command: + +-$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslog /sbin/augenrules ++$ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules + + root /sbin/auditctl + root /sbin/aureport +@@ -4957,26 +4678,26 @@ $ sudo yum list installed rsyslog + + rsyslog.x86_64 8.1911.0-3.el8 @AppStream + +-If the "rsyslog" package is not installed, ask the administrator to indicate how audit logs are being offloaded and what packages are installed to support it. If there is no evidence of audit logs being offloaded, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-030680RHEL 8 must have the packages required for encrypting offloaded audit logs installed.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++If the "rsyslog" package is not installed, ask the administrator to indicate how audit logs are being offloaded and what packages are installed to support it. If there is no evidence of audit logs being offloaded, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-030680RHEL 8 must have the packages required for encrypting offloaded audit logs installed.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. + +-RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. ++RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "rsyslog-gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + + Rsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above. + Examples of each configuration: + UDP *.* @remotesystemname + TCP *.* @@remotesystemname + RELP *.* :omrelp:remotesystemname:2514 +-Note that a port number was given as there is no standard port for RELP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command: ++Note that a port number was given as there is no standard port for RELP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command: + +-$ sudo yum install gnutlsVerify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands: ++$ sudo yum install rsyslog-gnutlsVerify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands: + +-$ sudo yum list installed gnutls ++$ sudo yum list installed rsyslog-gnutls + +-gnutls.x86_64 3.6.8-9.el8 @anaconda ++rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream + +-If the "gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030690The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++If the "rsyslog-gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030690The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. + +@@ -5064,19 +4785,17 @@ $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog. + + If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. + +-If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-08-030730RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following lines in the /etc/audit/auditd.conf file. ++If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-08-030730RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. + + space_left = 25% +-space_left_action = email + +-Note: Option names and values in the auditd.conf file are case insensitive.Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands: ++Note: Option names and values in the auditd.conf file are case insensitive.Verify RHEL 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands: + +-$ sudo grep space_left /etc/audit/auditd.conf ++$ sudo grep -w space_left /etc/audit/auditd.conf + + space_left = 25% +-space_left_action = email + +-If the value of the "space_left" keyword is not set to "25%" and the "space_left_action" is not set to "email", or if these lines are commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. ++If the value of the "space_left" keyword is not set to "25%" or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. + + If there is no evidence that real-time alerts are configured on the system, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-08-030740RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + +@@ -5322,34 +5041,34 @@ $ sudo grep -ri CAN /etc/modprobe.d/* | grep -i "blacklist" + + blacklist CAN + +-If the command does not return any output or the output is not "blacklist CAN", and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040023RHEL 8 must disable the stream control transmission (SCTP) protocol.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If the command does not return any output or the output is not "blacklist CAN", and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040023RHEL 8 must disable the stream control transmission protocol (SCTP).<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + +-The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000381Configure the operating system to disable the ability to use the SCTP protocol kernel module. ++The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000381Configure the operating system to disable the ability to use the SCTP kernel module. + + Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": + + install SCTP /bin/true + blacklist SCTP + +-Reboot the system for the settings to take effect.Verify the operating system disables the ability to load the SCTP protocol kernel module. ++Reboot the system for the settings to take effect.Verify the operating system disables the ability to load the SCTP kernel module. + + $ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i "/bin/true" + + install SCTP /bin/true + +-If the command does not return any output, or the line is commented out, and use of the SCTP protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. ++If the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. + +-Verify the operating system disables the ability to use the SCTP protocol. ++Verify the operating system disables the ability to use the SCTP. + +-Check to see if the SCTP protocol is disabled with the following command: ++Check to see if the SCTP is disabled with the following command: + + $ sudo grep -ri SCTP /etc/modprobe.d/* | grep -i "blacklist" + + blacklist SCTP + +-If the command does not return any output or the output is not "blacklist SCTP", and use of the SCTP protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040024RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If the command does not return any output or the output is not "blacklist SCTP", and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-08-040024RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Failing to disconnect unused protocols can result in a system compromise. + +@@ -5532,27 +5251,21 @@ $ sudo firewall-cmd --info-zone=[custom] | grep target + + target: DROP + +-If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>RHEL-08-040100A firewall must be installed on RHEL 8.<VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. ++If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>RHEL-08-040100A firewall must be installed on RHEL 8.<VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. + + Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. + + Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +-RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002314Install "firewalld" and enable with the following commands: ++RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002314Install "firewalld" with the following command: + +-$ sudo yum install firewalld.noarch +- +-$ sudo systemctl enable firewalldVerify that "firewalld" is installed and active with the following commands: ++$ sudo yum install firewalld.noarchVerify that "firewalld" is installed with the following commands: + + $ sudo yum list installed firewalld + + firewalld.noarch 0.7.0-5.el8 + +-$ sudo systemctl is-active firewalld +- +-active +- +-If the "firewalld" package is not installed and "active", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.SRG-OS-000299-GPOS-00117<GroupDescription></GroupDescription>RHEL-08-040110RHEL 8 wireless network adapters must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. ++If the "firewalld" package is not installed, ask the System Administrator if another firewall is installed. If no firewall is installed this is a finding.SRG-OS-000299-GPOS-00117<GroupDescription></GroupDescription>RHEL-08-040110RHEL 8 wireless network adapters must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +@@ -5890,7 +5603,7 @@ $ sudo cat /etc/fstab | grep /var/tmp + + /dev/mapper/rhel-var-log-audit /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + +-If results are returned and the "noexec" option is missing, or if /var/tmp is mounted without the "noexec" option, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040135The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. ++If results are returned and the "noexec" option is missing, or if /var/tmp is mounted without the "noexec" option, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040135The RHEL 8 fapolicy module must be installed.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + + Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. + +@@ -5898,138 +5611,64 @@ User home directories/folders may contain information of a sensitive nature. Non + + RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. + +-Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. +- +-Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001764Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd" using the following commands: +- +-Install and enable "fapolicyd": +- +-$ sudo yum install fapolicyd.x86_64 +- +-$ sudo mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts +- +-$ sudo systemctl enable --now fapolicyd +- +-With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line: +- +-permissive = 1 +- +-Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny all all". ++Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. + +-Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. ++Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001764Install "fapolicyd" with the following command: + +-permissive = 0Verify the RHEL 8 "fapolicyd" is enabled and employs a deny-all, permit-by-exception policy. ++$ sudo yum install fapolicyd.x86_64Verify the RHEL 8 "fapolicyd" is installed. + +-Check that "fapolicyd" is installed, running, and in enforcing mode with the following commands: ++Check that "fapolicyd" is installed with the following command: + + $ sudo yum list installed fapolicyd + + Installed Packages + fapolicyd.x86_64 + +-$ sudo systemctl status fapolicyd.service ++If fapolicyd is not installed, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040140RHEL 8 must block unauthorized peripherals before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +-fapolicyd.service - File Access Policy Daemon +-Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) +-Active: active (running) ++Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. + +-$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf ++A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. + +-permissive = 0 ++The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001958Configure the operating system to enable the blocking of unauthorized peripherals with the following command: ++This command must be run from a root shell and will create an allow list for any usb devices currently connect to the system. + +-Check that fapolicyd employs a deny-all policy on system mounts with the following commands: ++# usbguard generate-policy > /etc/usbguard/rules.conf + +-$ sudo tail /etc/fapolicyd/fapolicyd.rules ++Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouseVerify the USBGuard has a policy configured with the following command: + +-allow exe=/usr/bin/python3.4 dir=execdirs ftype=text/x-pyton +-deny_audit pattern ld_so all +-deny all all ++$ sudo usbguard list-rules + +-$ sudo cat /etc/fapolicyd/fapolicyd.mounts ++If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. + +-/dev/shm +-/run +-/sys/fs/cgroup +-/ +-/home +-/boot +-/run/user/42 +-/run/user/1000 ++If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>RHEL-08-040150A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +-If fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040140RHEL 8 must block unauthorized peripherals before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. ++This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. + +-Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. ++Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002385Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": + +-A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. ++FirewallBackend=nftables + +-The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001958Configure the operating system to enable the blocking of unauthorized peripherals with the following commands: ++Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: + +-$ sudo yum install usbguard.x86_64 ++Verify "firewalld" has "nftables" set as the default backend: + +-$ sudo usbguard generate-policy > /etc/usbguard/rules.conf ++$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf + +-$ sudo systemctl enable usbguard.service ++# FirewallBackend ++FirewallBackend=nftables + +-$ sudo systemctl start usbguard.service ++If the "nftables" is not set as the "firewallbackend" default, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040160All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + +-Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouseVerify the operating system has enabled the use of USBGuard with the following command: ++This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +-$ sudo systemctl status usbguard.service ++Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. + +-usbguard.service - USBGuard daemon +-Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) +-Active: active (running) ++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002418Configure the SSH service to automatically start after reboot with the following command: + +-If the usbguard.service is not installed and active, ask the SA to indicate how unauthorized peripherals are being blocked. ++$ sudo systemctl enable sshd.serviceVerify SSH is loaded and active with the following command: + +-If there is no evidence that unauthorized peripherals can be blocked before establishing a connection, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>RHEL-08-040150A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. +- +-This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. +- +-Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002385Install "nftables" packages onto the host with the following commands: +- +-$ sudo yum install nftables.x86_64 1:0.9.0-14.el8 +- +-Configure the "nftables" service to automatically start after reboot with the following command: +- +-$ sudo systemctl enable nftables.service +- +-Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": +- +-FirewallBackend=nftables +- +-Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.Verify "nftables" is configured to allow rate limits on any connection to the system with the following commands: +- +-Check that the "nftables.service" is active and running: +- +-$ sudo systemctl status nftables.service +- +-nftables.service - Netfilter Tables +-Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled) +-Active: active (running) +- +-Verify "firewalld" has "nftables" set as the default backend: +- +-$ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf +- +-# FirewallBackend +-FirewallBackend=nftables +- +-If the "nftables" is not active, running and set as the "firewallbackend" default, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040160All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +- +-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +- +-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. +- +-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002418Install SSH packages onto the host with the following commands: +- +-$ sudo yum install openssh-server.x86_64 +- +-Configure the SSH service to automatically start after reboot with the following command: +- +-$ sudo systemctl enable sshd.serviceVerify SSH is loaded and active with the following command: +- +-$ sudo systemctl status sshd ++$ sudo systemctl status sshd + + sshd.service - OpenSSH server daemon + Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) +@@ -6038,9 +5677,7 @@ Main PID: 1348 (sshd) + CGroup: /system.slice/sshd.service + 1053 /usr/sbin/sshd -D + +-If "sshd" does not show a status of "active" and "running", this is a finding. +- +-If the "SSH server" package is not installed, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-040161RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. ++If "sshd" does not show a status of "active" and "running", this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-040161RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. + + This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +@@ -6060,26 +5697,6 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config + + RekeyLimit 1G 1h + +-If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-040162RHEL 8 must force a frequent session key renegotiation for SSH connections by the client.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +- +-This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +- +-Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. +- +-Session key regeneration limits the chances of a session key becoming compromised. +- +-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000420-GPOS-00186, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000068Configure the system to force a frequent session key renegotiation for SSH connections by the client by add or modifying the following line in the "/etc/ssh/ssh_config" file: +- +-RekeyLimit 1G 1h +- +-Restart the SSH daemon for the settings to take effect. +- +-$ sudo systemctl restart sshd.serviceVerify the SSH client is configured to force frequent session key renegotiation with the following command: +- +-$ sudo grep -i RekeyLimit /etc/ssh/ssh_config +- +-RekeyLimit 1G 1h +- + If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: + + $ sudo systemctl mask ctrl-alt-del.target +@@ -6157,28 +5774,23 @@ If the account is associated with system commands or applications, the UID shoul + + $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd + +-If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent ICMP redirect messages from being accepted with the following command: +- +-$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 ++If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted with the following command: + + $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 + + If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv4.conf.default.accept_redirects=0 +- +-net.ipv6.conf.default.accept_redirects=0Verify RHEL 8 will not accept ICMP redirect messages. ++net.ipv6.conf.default.accept_redirects=0Verify RHEL 8 will not accept IPv6 ICMP redirect messages. + +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + + Check the value of the default "accept_redirects" variables with the following command: + +-$ sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects ++$ sudo sysctl net.ipv6.conf.default.accept_redirects + +-net.ipv4.conf.default.accept_redirects = 0 + net.ipv6.conf.default.accept_redirects = 0 + +-If the returned lines do not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects with the following command: + +@@ -6186,9 +5798,9 @@ $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 + + If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv4.conf.all.send_redirects=0Verify RHEL 8 does not IPv4 ICMP redirect messages. ++net.ipv4.conf.all.send_redirects=0Verify RHEL 8 does not IPv4 ICMP redirect messages. + +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + + Check the value of the "all send_redirects" variables with the following command: + +@@ -6196,7 +5808,7 @@ $ sudo sysctl net.ipv4.conf.all.send_redirects + + net.ipv4.conf.all.send_redirects = 0 + +-If the returned line does not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. ++If the returned line does not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address with the following command: + +@@ -6204,59 +5816,48 @@ $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 + + If "1" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv4.icmp_echo_ignore_broadcasts=1Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. +- +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++net.ipv4.icmp_echo_ignore_broadcasts=1Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. + ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: + + $ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts + + net.ipv4.icmp_echo_ignore_broadcasts = 1 + +-If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward source-routed packets with the following commands: +- +-$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 ++If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv6 source-routed packets with the following command: + + $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 + +-If "0" is not the system's all value then add or update the following lines in the appropriate file under "/etc/sysctl.d": +- +-net.ipv4.conf.all.accept_source_route=0 ++If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv6.conf.all.accept_source_route=0Verify RHEL 8 does not accept source-routed packets. ++net.ipv6.conf.all.accept_source_route=0Verify RHEL 8 does not accept IPv6 source-routed packets. + +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + + Check the value of the accept source route variable with the following command: + +-$ sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route ++$ sudo sysctl net.ipv6.conf.all.accept_source_route + +-net.ipv4.conf.all.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 + +-If the returned lines do not have a value of "0", a line is not returned, or either returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward source-routed packets by default with the following commands: +- +-$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv6 source-routed packets by default with the following command: + + $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 + +-If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d": +- +-net.ipv4.conf.default.accept_source_route=0 ++If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv6.conf.default.accept_source_route=0Verify RHEL 8 does not accept source-routed packets by default. ++net.ipv6.conf.default.accept_source_route=0Verify RHEL 8 does not accept IPv6 source-routed packets by default. + +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + + Check the value of the accept source route variable with the following command: + +-$ sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route ++$ sudo sysctl net.ipv6.conf.default.accept_source_route + +-net.ipv4.conf.default.accept_source_route = 0 + net.ipv6.conf.default.accept_source_route = 0 + +-If the returned lines do not have a value of "0", a line is not returned, or either returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow packet forwarding, unless the system is a router with the following commands: ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow packet forwarding, unless the system is a router with the following commands: + + $ sudo sysctl -w net.ipv4.ip_forward=0 + +@@ -6316,7 +5917,7 @@ $ sudo sysctl net.ipv6.conf.default.accept_ra + + net.ipv6.conf.default.accept_ra = 0 + +-If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. ++If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default with the following command: + +@@ -6324,9 +5925,9 @@ $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 + + If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv4.conf.default.send_redirects=0Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. ++net.ipv4.conf.default.send_redirects=0Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. + +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. + + Check the value of the "default send_redirects" variables with the following command: + +@@ -6334,28 +5935,23 @@ $ sudo sysctl net.ipv4.conf.default.send_redirects + + net.ipv4.conf.default.send_redirects=0 + +-If the returned line does not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore ICMP redirect messages with the following commands: +- +-$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 ++If the returned line does not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore IPv6 ICMP redirect messages with the following command: + + $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 + +-If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d": +- +-net.ipv4.conf.all.accept_redirects = 0 ++If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": + +-net.ipv6.conf.all.accept_redirects = 0Verify RHEL 8 ignores ICMP redirect messages. ++net.ipv6.conf.all.accept_redirects = 0Verify RHEL 8 ignores IPv6 ICMP redirect messages. + +-Note: If either IPv4 or IPv6 is disabled on the system, this requirement only applies to the active internet protocol version. ++Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + + Check the value of the "accept_redirects" variables with the following command: + +-$ sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects ++$ sudo sysctl net.ipv6.conf.all.accept_redirects + +-net.ipv4.conf.all.accept_redirects = 0 + net.ipv6.conf.all.accept_redirects = 0 + +-If both of the returned lines do not have a value of "0", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory: ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory: + + kernel.unprivileged_bpf_disabled = 1 + +@@ -6656,4 +6252,664 @@ Note: The "[value]" must be a number that is greater than or equal to "0". +\ No newline at end of file ++If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010049RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. ++ ++System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. ++ ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000048Configure the operating system to display a banner before granting access to the system. ++ ++Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. ++ ++Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: ++ ++$ sudo touch /etc/dconf/db/local.d/01-banner-message ++ ++Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": ++ ++[org/gnome/login-screen] ++ ++banner-message-enable=true ++ ++Run the following command to update the database: ++ ++$ sudo dconf updateVerify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon. ++ ++Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. ++ ++Check to see if the operating system displays a banner at the logon screen with the following command: ++ ++$ sudo grep banner-message-enable /etc/dconf/db/local.d/* ++ ++banner-message-enable=true ++ ++If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-08-010131The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. ++ ++Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000196Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. ++ ++Edit/modify the following line in the "etc/pam.d/system-auth" file and set "rounds" to a value no lower than "5000": ++ ++password sufficient pam_unix.so sha512 rounds=5000Check that a minimum number of hash rounds is configured by running the following command: ++ ++$ sudo grep rounds /etc/pam.d/system-auth ++ ++password sufficient pam_unix.so sha512 rounds=5000 ++ ++If "rounds" has a value below "5000", or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010141RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to have a unique name for the grub superusers account. ++ ++Edit the /etc/grub.d/01_users file and add or modify the following lines: ++ ++set superusers="[someuniquestringhere]" ++export superusers ++password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} ++ ++Generate a new grub.cfg file with the following command: ++ ++$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable. ++ ++Verify that a unique name is set as the "superusers" account: ++ ++$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg ++set superusers="[someuniquestringhere]" ++export superusers ++ ++If "superusers" is not set to a unique name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010149RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to have a unique name for the grub superusers account. ++ ++Edit the /etc/grub.d/01_users file and add or modify the following lines: ++ ++set superusers="[someuniquestringhere]" ++export superusers ++password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} ++ ++Generate a new grub.cfg file with the following command: ++ ++$ sudo grub2-mkconfig -o /boot/grub2/grub.cfgFor systems that use UEFI, this is Not Applicable. ++ ++Verify that a unique name is set as the "superusers" account: ++ ++$ sudo grep -iw "superusers" /boot/grub2/grub.cfg ++set superusers="[someuniquestringhere]" ++export superusers ++ ++If "superusers" is not set to a unique name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-08-010152RHEL 8 operating systems must require authentication upon booting into emergency mode.<VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000213Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file. ++ ++ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergencyCheck to see if the system requires authentication for emergency mode with the following command: ++ ++$ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service ++ ++ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency ++ ++If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>RHEL-08-010159The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. ++ ++RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. ++ ++FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000803Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. ++ ++Edit/modify the following line in the "/etc/pam.d/system-auth" file to include the sha512 option for pam_unix.so: ++ ++password sufficient pam_unix.so sha512 rounds=5000Verify that pam_unix.so module is configured to use sha512. ++ ++Check that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command: ++ ++$ sudo grep password /etc/pam.d/system-auth | grep pam_unix ++ ++password sufficient pam_unix.so sha512 rounds=5000 ++ ++If "sha512" is missing, or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010201The RHEL 8 SSH daemon must be configured with a timeout interval.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. ++ ++Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. ++ ++RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. ++ ++Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity. ++ ++Modify or append the following lines in the "/etc/ssh/sshd_config" file: ++ ++ClientAliveInterval 600 ++ ++In order for the changes to take effect, the SSH daemon must be restarted. ++ ++$ sudo systemctl restart sshd.serviceVerify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. ++ ++Check that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command: ++ ++$ sudo grep -i clientalive /etc/ssh/sshd_config ++ ++ClientAliveInterval 600 ++ClientAliveCountMax 0 ++ ++If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010287The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. ++ ++Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. ++ ++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. ++ ++RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory. ++ ++Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd: ++ ++# crypto_policy= ++ ++A reboot is required for the changes to take effect.Verify that system-wide crypto policies are in effect: ++ ++$ sudo grep -i crypto_policy /etc/sysconfig/sshd ++ ++# crypto_policy= ++ ++If the "crypto_policy" is uncommented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010472RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. ++ ++The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command: ++ ++$ sudo yum install rng-toolsCheck that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: ++ ++$ sudo yum list installed rng-tools ++ ++rng-tools.x86_64 6.8-3.el8 @anaconda ++ ++If the "rng-tools" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010522The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the SSH daemon to not allow GSSAPI authentication. ++ ++Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": ++ ++GSSAPIAuthentication no ++ ++The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: ++ ++$ sudo systemctl restart sshd.serviceVerify the SSH daemon does not allow GSSAPI authentication with the following command: ++ ++$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config ++ ++GSSAPIAuthentication no ++ ++If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010544RHEL 8 must use a separate file system for /var/tmp.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var/tmp" path onto a separate file system.Verify that a separate file system/partition has been created for "/var/tmp". ++ ++Check that a file system/partition has been created for "/var/tmp" with the following command: ++ ++$ sudo grep /var/tmp /etc/fstab ++ ++UUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2 ++ ++If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010572RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.For systems that use BIOS, this is Not Applicable. ++ ++Verify the /boot/efi directory is mounted with the "nosuid" option with the following command: ++ ++$ sudo mount | grep '\s/boot/efi\s' ++ ++/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota) ++ ++If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010731All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. ++ ++$ sudo chmod 0750 /home/smithj/<file or directory>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750". ++Files that begin with a "." are excluded from this requirement. ++ ++Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". ++ ++$ sudo ls -lLR /home/smithj ++-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1 ++-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2 ++-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3 ++ ++If any files or directories are found with a mode more permissive than "0750", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010741RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the group of a local interactive user's files and directories to a group that the interactive user is a member. To change the group owner of a local interactive user's files and directories, use the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. ++ ++$ sudo chgrp smithj /home/smithj/<file or directory>Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member. ++ ++Check the group owner of all files and directories in a local interactive user's home directory with the following command: ++ ++Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". ++ ++$ sudo ls -lLR /<home directory>/<users home directory>/ ++-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 ++-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 ++-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3 ++ ++If any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command: ++ ++$ sudo grep smithj /etc/group ++sa:x:100:juan,shelley,bob,smithj ++smithj:x:521:smithj ++ ++If any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020025RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. ++ ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. ++ ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. ++The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. ++ ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. ++ ++Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" file to match the following lines: ++Note: The "preauth" line must be listed before pam_unix.so. ++ ++auth required pam_faillock.so preauth ++auth required pam_faillock.so authfail ++account required pam_faillock.soNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++ ++Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: ++ ++$ sudo grep pam_faillock.so /etc/pam.d/system-auth ++ ++auth required pam_faillock.so preauth ++auth required pam_faillock.so authfail ++account required pam_faillock.so ++If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>RHEL-08-020026RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. ++ ++In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. ++ ++From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. ++The preauth argument must be used when the module is called before the modules which ask for the user credentials such as the password. ++ ++Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000044Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. ++ ++Add/Modify the appropriate sections of the "/etc/pam.d/password-auth" file to match the following lines: ++Note: The "preauth" line must be listed before pam_unix.so. ++ ++auth required pam_faillock.so preauth ++auth required pam_faillock.so authfail ++account required pam_faillock.soNote: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. ++ ++Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: ++ ++$ sudo grep pam_faillock.so /etc/pam.d/password-auth ++ ++auth required pam_faillock.so preauth ++auth required pam_faillock.so authfail ++account required pam_faillock.so ++ ++If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020031RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled. ++ ++Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++$ sudo touch /etc/dconf/db/local.d/00-screensaver ++ ++[org/gnome/desktop/screensaver] ++lock-delay=uint32 5 ++ ++The "uint32" must be included along with the integer key values as shown. ++ ++Update the system databases: ++ ++$ sudo dconf updateVerify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command: ++ ++Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. ++ ++$ sudo gsettings get org.gnome.desktop.screensaver lock-delay ++ ++uint32 5 ++ ++If the "uint32" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020032RHEL 8 must disable the user list at logon for graphical user interfaces.<VulnDiscussion>Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without authenticated access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to disable the user list at logon for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++$ sudo touch /etc/dconf/db/local.d/02-login-screen ++ ++[org/gnome/login-screen] ++disable-user-list=true ++ ++Update the system databases: ++$ sudo dconf updateVerify the operating system disables the user logon list for graphical user interfaces with the following command: ++Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. ++ ++$ sudo gsettings get org.gnome.login-screen disable-user-list ++true ++ ++If the setting is "false", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020039RHEL 8 must have the tmux package installed.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. ++The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. ++Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. ++ ++Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to enable a user to initiate a session lock via tmux. ++ ++Install the "tmux" package, if it is not already installed, by running the following command: ++ ++$ sudo yum install tmuxVerify RHEL 8 has the "tmux" package installed, by running the following command: ++ ++$ sudo yum list installed tmux ++ ++tmux.x86.64 2.7-1.el8 @repository ++ ++If "tmux" is not installed, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020081RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled. ++ ++Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. ++ ++Locking these settings from non-privileged users is crucial to maintaining a protected baseline. ++ ++Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++$ sudo touch /etc/dconf/db/local.d/locks/session ++ ++Add the following setting to prevent non-privileged users from modifying it: ++ ++/org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding settings for graphical user interfaces. ++ ++Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. ++ ++Determine which profile the system database is using with the following command: ++ ++$ sudo grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Check that graphical settings are locked from non-privileged user modification with the following command: ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++$ sudo grep -i idle /etc/dconf/db/local.d/locks/* ++ ++/org/gnome/desktop/session/idle-delay ++ ++If the command does not return at least the example result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-08-020082RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled. ++ ++Implementing session settings will have little value if a user is able to manipulate these settings from the defaults prescribed in the other requirements of this implementation guide. ++ ++Locking these settings from non-privileged users is crucial to maintaining a protected baseline. ++ ++Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000057Configure the operating system to prevent a user from overriding settings for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++$ sudo touch /etc/dconf/db/local.d/locks/session ++ ++Add the following setting to prevent non-privileged users from modifying it: ++ ++/org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding settings for graphical user interfaces. ++ ++Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. ++ ++Determine which profile the system database is using with the following command: ++ ++$ sudo grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Check that graphical settings are locked from non-privileged user modification with the following command: ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++$ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/* ++ ++/org/gnome/desktop/screensaver/lock-enabled ++ ++If the command does not return at least the example result, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020331RHEL 8 must not allow blank or null passwords in the system-auth file.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords. ++ ++Note: Manual changes to the listed file may be overwritten by the "authselect" program.To verify that null passwords cannot be used, run the following command: ++ ++$ sudo grep -i nullok /etc/pam.d/system-auth ++ ++If output is produced, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020332RHEL 8 must not allow blank or null passwords in the password-auth file.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords. ++ ++Note: Manual changes to the listed file may be overwritten by the "authselect" program.To verify that null passwords cannot be used, run the following command: ++ ++$ sudo grep -i nullok /etc/pam.d/password-auth ++ ++If output is produced, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>RHEL-08-030181RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. ++ ++Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. ++ ++Associating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system. ++ ++Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000169Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred with the following commands: ++ ++$ sudo systemctl enable auditd.service ++ ++$ sudo systemctl start auditd.serviceVerify the audit service is configured to produce audit records with the following command: ++ ++$ sudo systemctl status auditd.service. ++ ++auditd.service - Security Auditing Service ++Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) ++Active: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago ++ ++If the audit service is not "active" and "running", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-08-030731RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. ++ ++space_left_action = email ++ ++Note: Option names and values in the auditd.conf file are case insensitive.Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: ++ ++$ sudo grep -w space_left_action /etc/audit/auditd.conf ++ ++space_left_action = email ++ ++If the value of the "space_left_action" is not set to "email", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. ++ ++If there is no evidence that real-time alerts are configured on the system, this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>RHEL-08-040101A firewall must be active on RHEL 8.<VulnDiscussion>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. ++ ++Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. ++ ++Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. ++RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002314Configure "firewalld" to protect the operating system with the following command: ++ ++$ sudo systemctl enable firewalldVerify that "firewalld" is active with the following commands: ++ ++$ sudo systemctl is-active firewalld ++ ++active ++ ++If the "firewalld" package is not "active", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040136The RHEL 8 fapolicy module must be enabled.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. ++ ++Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. ++ ++User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. ++ ++RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. ++ ++Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. ++ ++Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001764Enable "fapolicyd" using the following command: ++ ++$ sudo systemctl enable --now fapolicydVerify the RHEL 8 "fapolicyd" is enabled and running with the following command: ++ ++$ sudo systemctl status fapolicyd.service ++ ++fapolicyd.service - File Access Policy Daemon ++Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) ++Active: active (running) ++ ++If fapolicyd is not enabled and running, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040137The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. ++ ++Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. ++ ++User home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. ++ ++RHEL 8 ships with many optional packages. One such package is a file access policy daemon called "fapolicyd". "fapolicyd" is a userspace daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. ++ ++Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. ++ ++Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001764Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd" using the following command: ++ ++Note: Running this command requires a root shell ++ ++# mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts ++ ++With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line: ++ ++permissive = 1 ++ ++Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". ++ ++Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. ++ ++permissive = 0Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy. ++ ++Check that "fapolicyd" is in enforcement mode with the following command: ++ ++$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf ++ ++permissive = 0 ++ ++Check that fapolicyd employs a deny-all policy on system mounts with the following commands: ++ ++$ sudo tail /etc/fapolicyd/fapolicyd.rules ++ ++allow exe=/usr/bin/python3.7 : ftype=text/x-python ++deny_audit perm=any pattern=ld_so : all ++deny perm=any all : all ++ ++$ sudo cat /etc/fapolicyd/fapolicyd.mounts ++ ++/dev/shm ++/run ++/sys/fs/cgroup ++/ ++/home ++/boot ++/run/user/42 ++/run/user/1000 ++ ++If fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040139RHEL 8 must have the USBGuard installed.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. ++Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. ++A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. ++ ++The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001958Install the USBGuard package with the following command: ++ ++$ sudo yum install usbguard.x86_64Verify USBGuard is installed on the operating system with the following command: ++ ++$ sudo yum list installed usbguard ++ ++Installed Packages ++usbguard.x86_64 0.7.8-7.el8 @ol8_appstream ++ ++If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. ++If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-08-040141RHEL 8 must enable the USBGuard.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. ++ ++Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. ++ ++A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool. ++ ++The System Administrator (SA) must work with the site Information System Security Officer (ISSO) to determine a list of authorized peripherals and establish rules within the USBGuard software framework to allow only authorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001958Configure the operating system to enable the blocking of unauthorized peripherals with the following commands: ++ ++$ sudo systemctl enable usbguard.service ++ ++$ sudo systemctl start usbguard.service ++ ++Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouseVerify the operating system has enabled the use of the USBGuard with the following command: ++ ++$ sudo systemctl status usbguard.service ++ ++usbguard.service - USBGuard daemon ++Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) ++Active: active (running) ++ ++If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. ++If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040159All RHEL 8 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. ++ ++This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. ++ ++Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. ++ ++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002418Install SSH packages onto the host with the following command: ++ ++$ sudo yum install openssh-server.x86_64Verify SSH is installed with the following command: ++ ++$ sudo yum list installed openssh-server ++ ++openssh-server.x86_64 8.0p1-5.el8 @anaconda ++ ++If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted with the following command: ++ ++$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 ++ ++If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": ++ ++net.ipv4.conf.default.accept_redirects=0Verify RHEL 8 will not accept IPv4 ICMP redirect messages. ++ ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++ ++Check the value of the default "accept_redirects" variables with the following command: ++ ++$ sudo sysctl net.ipv4.conf.default.accept_redirects ++ ++net.ipv4.conf.default.accept_redirects = 0 ++ ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv4 source-routed packets with the following command: ++ ++$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 ++ ++If "0" is not the system's all value then add or update the following line in the appropriate file under "/etc/sysctl.d": ++ ++net.ipv4.conf.all.accept_source_route=0Verify RHEL 8 does not accept IPv4 source-routed packets. ++ ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++ ++Check the value of the accept source route variable with the following command: ++ ++$ sudo sysctl net.ipv4.conf.all.accept_source_route ++ ++net.ipv4.conf.all.accept_source_route = 0 ++ ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to not forward IPv4 source-routed packets by default with the following command: ++ ++$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 ++ ++If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": ++ ++net.ipv4.conf.default.accept_source_route=0Verify RHEL 8 does not accept IPv4 source-routed packets by default. ++ ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++ ++Check the value of the accept source route variable with the following command: ++ ++$ sudo sysctl net.ipv4.conf.default.accept_source_route ++ ++net.ipv4.conf.default.accept_source_route = 0 ++ ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to ignore IPv4 ICMP redirect messages with the following command: ++ ++$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 ++ ++If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": ++ ++net.ipv4.conf.all.accept_redirects = 0Verify RHEL 8 ignores IPv4 ICMP redirect messages. ++ ++Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++ ++Check the value of the "accept_redirects" variables with the following command: ++ ++$ sudo sysctl net.ipv4.conf.all.accept_redirects ++ ++net.ipv4.conf.all.accept_redirects = 0 ++ ++If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the "/etc/sysctl.d" directory: ++ ++net.core.bpf_jit_harden = 2 ++ ++The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: ++ ++$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: ++ ++$ sudo sysctl net.core.bpf_jit_harden ++ ++net.core.bpf_jit_harden = 2 ++ ++If the returned line does not have a value of "2", or a line is not returned, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. ++ ++Procedure: ++Check that the following package has been installed: ++ ++$ sudo rpm -qa | grep -i mcafeetp ++ ++If the "mcafeetp" package is not installed, this is a finding. ++ ++Verify that the daemon is running: ++ ++$ sudo ps -ef | grep -i mfetpd ++ ++If the daemon is not running, this is a finding. +\ No newline at end of file +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index bffa509b698..1f355c246a0 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -1,6 +1,6 @@ + description: 'This profile contains configuration checks that align to the + +- DISA STIG for Red Hat Enterprise Linux 8 V1R2. ++ DISA STIG for Red Hat Enterprise Linux 8 V1R3. + + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index c84ac75c7bf..8bfe8363d0a 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -1,6 +1,6 @@ + description: 'This profile contains configuration checks that align to the + +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R2. ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3. + + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes diff --git a/SOURCES/scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch b/SOURCES/scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch new file mode 100644 index 0000000..347da3f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch @@ -0,0 +1,34 @@ +From f151a439ce9199a0a4496c0bc55811b47bfd8b78 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:45:29 +0200 +Subject: [PATCH] update version of rhel7 stig_gui profile + +--- + products/rhel7/profiles/stig_gui.profile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile +index d41d2ef4f80..6dd433d6c21 100644 +--- a/products/rhel7/profiles/stig_gui.profile ++++ b/products/rhel7/profiles/stig_gui.profile +@@ -1,9 +1,9 @@ + documentation_complete: true + + metadata: +- version: V3R3 ++ version: V3R4 + SMEs: +- - carlosmmatos ++ - ggbecker + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux V3R3. ++ DISA STIG with GUI for Red Hat Enterprise Linux V3R4. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of diff --git a/SOURCES/scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch b/SOURCES/scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch new file mode 100644 index 0000000..422a290 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch @@ -0,0 +1,120 @@ +From ea1bab197a17dd944e41a583c82c3cc757bb566b Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Aug 2021 12:23:05 +0200 +Subject: [PATCH] Update STIG mapping table to reflect statistics of coverage. + +--- + .../shared_xccdf-apply-overlay-stig.xslt | 59 +++++++++++++------ + .../transforms/shared_xccdf2table-stig.xslt | 28 +++++++++ + 2 files changed, 68 insertions(+), 19 deletions(-) + +diff --git a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt +index 945f709b95..b7c000608c 100644 +--- a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt ++++ b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt +@@ -28,26 +28,47 @@ + + + +- +- +- +- SRG-OS-ID +- +- +- +- <xsl:value-of select="$overlay_title"/> +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ SRG-OS-ID ++ ++ ++ ++ <xsl:value-of select="$overlay_title"/> ++ ++ ++ ++ ++ ++ ++ ++ + +- +- ++ ++ ++ ++ ++ ++ SRG-OS-ID ++ ++ ++ ++ <xsl:value-of select="$overlay_title"/> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +diff --git a/shared/transforms/shared_xccdf2table-stig.xslt b/shared/transforms/shared_xccdf2table-stig.xslt +index 3746c386c0..4c477542f4 100644 +--- a/shared/transforms/shared_xccdf2table-stig.xslt ++++ b/shared/transforms/shared_xccdf2table-stig.xslt +@@ -20,6 +20,34 @@ + +
      +
      ++ ++
      ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
      TotalMissingImplementedCoverageSTIG ids missing rule
      % ++ ++ ++ ++
      ++
      ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch b/SOURCES/scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch new file mode 100644 index 0000000..b7c4870 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch @@ -0,0 +1,9202 @@ +From c2879589d5ff715c15a9f96f22f6dac4efca0852 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 17:49:38 +0200 +Subject: [PATCH 01/10] Fix create-stig-overlay.py script to extract correct + identifiers. + +--- + utils/create-stig-overlay.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py +index da59d4a6a46..6d7e360b31b 100755 +--- a/utils/create-stig-overlay.py ++++ b/utils/create-stig-overlay.py +@@ -93,9 +93,9 @@ def new_stig_overlay(xccdftree, ssgtree, outfile): + srg = title.text + for rule in group.findall("./{%s}Rule" % xccdf_ns): + svkey_raw = rule.get("id") +- svkey = svkey_raw.strip()[3:-7] ++ svkey = svkey_raw.strip()[3:9] + severity = rule.get("severity") +- release = svkey_raw.strip()[9:-5] ++ release = svkey_raw.strip()[10:-5] + version = element_value("version", rule) + rule_title = element_value("title", rule) + ident = element_value("ident", rule).strip("CCI-").lstrip("0") + +From 99d698518d522571ffbed0a21f0ef783ae01e2fd Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 17:50:26 +0200 +Subject: [PATCH 02/10] Do not add rule id based on SRG mapping to STIG tables. + +Revert change from +https://github.com/ComplianceAsCode/content/commit/71dc9eec3b80984cc3be43dd8d05343555213382#diff-9e0d84b6fa315174f856f178bb57199de68baefbdeb79a17971202ee8982c04fR61 +as it's weird having mapped rules that do not correspond with current +STIG id description. +--- + utils/create-stig-overlay.py | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py +index 6d7e360b31b..3247f7f7785 100755 +--- a/utils/create-stig-overlay.py ++++ b/utils/create-stig-overlay.py +@@ -65,17 +65,6 @@ def ssg_xccdf_stigid_mapping(ssgtree): + return xccdftostig_idmapping + + +-def get_nested_stig_items(ssg_mapping, srg): +- mapped_id = "XXXX" +- for rhid, srgs in ssg_mapping.items(): +- for xccdfid, srglist in srgs.items(): +- if srg in srglist and len(srglist) > 1: +- mapped_id = xccdfid +- break +- +- return mapped_id +- +- + def getkey(elem): + return elem.get("ownerid") + +@@ -106,7 +95,7 @@ def new_stig_overlay(xccdftree, ssgtree, outfile): + try: + mapped_id = ''.join(ssg_mapping[version].keys()) + except KeyError as e: +- mapped_id = get_nested_stig_items(ssg_mapping, srg) ++ mapped_id = "XXXX" + + overlay = ET.SubElement(new_stig_overlay, "overlay", owner=owner, + ruleid=mapped_id, ownerid=version, disa=ident, + +From de85a1318e0c1c809202535ec0b17672ae7a58a0 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 17:52:57 +0200 +Subject: [PATCH 03/10] Add quiet mode for create-stig-overlay.py script. + +--- + utils/create-stig-overlay.py | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py +index 3247f7f7785..02deb0b5b2e 100755 +--- a/utils/create-stig-overlay.py ++++ b/utils/create-stig-overlay.py +@@ -69,7 +69,7 @@ def getkey(elem): + return elem.get("ownerid") + + +-def new_stig_overlay(xccdftree, ssgtree, outfile): ++def new_stig_overlay(xccdftree, ssgtree, outfile, quiet): + if not ssgtree: + ssg_mapping = False + else: +@@ -113,11 +113,14 @@ def new_stig_overlay(xccdftree, ssgtree, outfile): + overlay_directory = os.path.dirname(outfile) + if not os.path.exists(overlay_directory): + os.makedirs(overlay_directory) +- print("\nOverlay directory created: %s" % overlay_directory) ++ if not quiet: ++ print("\nOverlay directory created: %s" % overlay_directory) + + with open(outfile, 'wb') as f: + f.write(pretty_xml_as_string) +- print("\nGenerated the new STIG overlay file: %s" % outfile) ++ ++ if not quiet: ++ print("\nGenerated the new STIG overlay file: %s" % outfile) + + + def parse_args(): +@@ -134,6 +137,9 @@ def parse_args(): + action="store", dest="output_file", + help="STIG overlay XML content file \ + [default: %default]") ++ parser.add_argument("-q", "--quiet", dest="quiet", default=False, ++ action="store_true", help="Do not print anything and assume yes for everything") ++ + return parser.parse_args() + + +@@ -143,9 +149,11 @@ def main(): + disa_xccdftree = ET.parse(args.disa_xccdf_filename) + + if not args.ssg_xccdf_filename: +- print("WARNING: You are generating a STIG overlay XML file without mapping it " +- "to existing SSG content.") +- prompt = yes_no_prompt() ++ prompt = True ++ if not args.quiet: ++ print("WARNING: You are generating a STIG overlay XML file without mapping it " ++ "to existing SSG content.") ++ prompt = yes_no_prompt() + if not prompt: + sys.exit(0) + ssg_xccdftree = False +@@ -153,13 +161,19 @@ def main(): + ssg_xccdftree = ET.parse(args.ssg_xccdf_filename) + ssg = ssg_xccdftree.find(".//{%s}publisher" % dc_ns).text + if ssg != "SCAP Security Guide Project": +- sys.exit("%s is not a valid SSG generated XCCDF file." % args.ssg_xccdf_filename) ++ if not args.quiet: ++ sys.exit("%s is not a valid SSG generated XCCDF file." % args.ssg_xccdf_filename) ++ else: ++ sys.exit(1) + + disa = disa_xccdftree.find(".//{%s}source" % dc_ns).text + if disa != "STIG.DOD.MIL": +- sys.exit("%s is not a valid DISA generated manual XCCDF file." % args.disa_xccdf_filename) ++ if not args.quiet: ++ sys.exit("%s is not a valid DISA generated manual XCCDF file." % args.disa_xccdf_filename) ++ else: ++ sys.exit(2) + +- new_stig_overlay(disa_xccdftree, ssg_xccdftree, args.output_file) ++ new_stig_overlay(disa_xccdftree, ssg_xccdftree, args.output_file, args.quiet) + + + if __name__ == "__main__": + +From fc3f316cd3ccc375f9439683828a2d5829b411df Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 17:53:24 +0200 +Subject: [PATCH 04/10] Generate STIG overlay files during build time. + +--- + cmake/SSGCommon.cmake | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 1bcd5156206..f795d5be2c2 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -1274,12 +1274,21 @@ macro(ssg_build_html_stig_tables PRODUCT) + DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-stig.xslt" + COMMENT "[${PRODUCT}-tables] generating HTML MANUAL STIG table" + ) ++ add_custom_command( ++ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" ++ COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create-stig-overlay.py" --quiet --disa-xccdf="${DISA_STIG_REF}" --ssg-xccdf="${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ++ DEPENDS "${DISA_STIG_REF}" ++ COMMENT "[${PRODUCT}-tables] generating STIG XML overlay" ++ ) + add_custom_command( + OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" +- COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam overlay "${CMAKE_CURRENT_SOURCE_DIR}/overlays/stig_overlay.xml" --stringparam ocil-document "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/ocil-linked.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ++ COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam overlay "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" --stringparam ocil-document "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/ocil-linked.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" + DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" ++ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" + COMMENT "[${PRODUCT}-tables] generating unlinked STIG XCCDF XML file" + ) + add_custom_command( + +From bfcaf848a385051a4151db517d1f1d23adee7048 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 18:06:23 +0200 +Subject: [PATCH 05/10] Remove stig_overlay.xml files as they are generated + during build time. + +--- + products/chromium/overlays/stig_overlay.xml | 151 -- + products/firefox/overlays/stig_overlay.xml | 87 -- + products/jre/overlays/stig_overlay.xml | 67 - + products/ol7/overlays/stig_overlay.xml | 1003 -------------- + products/rhel7/overlays/stig_overlay.xml | 999 -------------- + products/rhel8/overlays/stig_overlay.xml | 1375 ------------------- + products/sle12/overlays/stig_overlay.xml | 811 ----------- + products/sle15/overlays/stig_overlay.xml | 935 ------------- + products/vsel/overlays/stig_overlay.xml | 159 --- + 10 files changed, 5587 deletions(-) + delete mode 100644 products/chromium/overlays/stig_overlay.xml + delete mode 100644 products/firefox/overlays/stig_overlay.xml + delete mode 100644 products/jre/overlays/stig_overlay.xml + delete mode 100644 products/ol7/overlays/stig_overlay.xml + delete mode 100644 products/rhel7/overlays/stig_overlay.xml + delete mode 100644 products/rhel8/overlays/stig_overlay.xml + delete mode 100644 products/sle12/overlays/stig_overlay.xml + delete mode 100644 products/sle15/overlays/stig_overlay.xml + delete mode 100644 products/vsel/overlays/stig_overlay.xml + +diff --git a/products/chromium/overlays/stig_overlay.xml b/products/chromium/overlays/stig_overlay.xml +deleted file mode 100644 +index ce776d1c813..00000000000 +--- a/products/chromium/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,151 +0,0 @@ +- +- +- +- +- Firewall traversal from remote host must be disabled. +- +- +- +- Sites ability for showing desktop notifications must be disabled. +- +- +- +- Sites ability to show pop-ups must be disabled. +- +- +- +- Site tracking users location must be disabled. +- +- +- +- Extensions installation must be blacklisted by default. +- +- +- +- Extensions that are approved for use must be whitelisted. +- +- +- +- The default search providers name must be set. +- +- +- +- The default search provider URL must be set to perform encrypted searches. +- +- +- +- Default search provider must be enabled. +- +- +- +- Use of cleartext passwords in Password Manager must be disabled. +- +- +- +- The Password Manager must be disabled. +- +- +- +- The HTTP Authentication must be set to negotiate. +- +- +- +- The running of outdated plugins must be disabled. +- +- +- +- Plugins requiring authorization must ask for user permission. +- +- +- +- Third party cookes must be blocked. +- +- +- +- Background processing must be disabled. +- +- +- +- 3D Graphics APIs must be disabled. +- +- +- +- Google Data Synchronization must be disabled. +- +- +- +- The URL protocol schema javascript must be disabled. +- +- +- +- Autofill must be disabled. +- +- +- +- Cloud print mush be disabled. +- +- +- +- Network prediction must be disabled. +- +- +- +- Metrics reporting to Google must be disabled. +- +- +- +- Search suggestions must be disabled. +- +- +- +- Importing of saved passwords must be disabled. +- +- +- +- Metrics reporting to Google must be disabled. +- +- +- +- Plugins must be disabled by default. +- +- +- +- Plugins approved for use must be enabled. +- +- +- +- Automated installation of missing plugins must be disabled. +- +- +- +- Online revocation checks must be done. +- +- +- +- Safe Browsing must be enabled. +- +- +- +- Browser history must be saved. +- +- +- +- Default behavior must block webpages from automatically running plugins. +- +- +- +- Session only based cookies must be disabled. +- +- +- +- The home page must be set to a trusted site. +- +- +- +- +- URLs must be whitelisted for plugin use. +- +- +diff --git a/products/firefox/overlays/stig_overlay.xml b/products/firefox/overlays/stig_overlay.xml +deleted file mode 100644 +index d4f19f02d21..00000000000 +--- a/products/firefox/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,87 +0,0 @@ +- +- +- +- +- Installed version of Firefox not supported. +- +- +- +- Firefox must be configured to allow only TLS. +- +- +- +- FireFox is configured to ask which certificate to present to a web site when a certificate is required. +- +- +- +- Firefox required security preferences can not be changed by user. +- +- +- +- Firefox automatically checks for updated version of installed Search plugins. +- +- +- +- Firefox automatically updates installed add-ons and plugins. +- +- +- +- Firefox automatically executes or downloads MIME types which are not authorized for auto-download. +- +- +- +- Network shell protocol is enabled in FireFox. +- +- +- +- Firefox is not configured to prompt a user before downloading and opening required file types. +- +- +- +- FireFox plug-in for ActiveX controls is installed. +- +- +- +- Firefox formfill assistance option is disabled. +- +- +- +- Firefox is configured to autofill passwords. +- +- +- +- FireFox is configured to use a password store with or without a master password. +- +- +- +- FireFox is not configured to block pop-up windows. +- +- +- +- FireFox is configured to allow JavaScript to move or resize windows. +- +- +- +- Firefox is configured to allow JavaScript to raise or lower windows. +- +- +- +- Firefox is configured to allow JavaScript to disable or replace context menus. +- +- +- +- Extensions install must be disabled. +- +- +- +- Background submission of information to Mozilla must be disabled. +- +- +- +- Firefox Development Tools Must Be Disabled. +- +- +- +- The DOD Root Certificate is not installed. +- +- +diff --git a/products/jre/overlays/stig_overlay.xml b/products/jre/overlays/stig_overlay.xml +deleted file mode 100644 +index 90eaf79e27f..00000000000 +--- a/products/jre/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,67 +0,0 @@ +- +- +- +- +- +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_deployment_config_properties" ownerid="JRE8-UX-000020" disa="366" severity="medium"> +- <VMSinfo VKey="66909" SVKey="81399" VRelease="2"/> +- <title text="Oracle JRE 8 deployment.config file must contain proper keys and values."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_deployment_properties_exists" ownerid="JRE8-UX-000030" disa="366" severity="medium"> +- <VMSinfo VKey="66911" SVKey="81401" VRelease="1"/> +- <title text="Oracle JRE 8 must have a deployment.properties file present."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_unsigned_applications" ownerid="JRE8-UX-000060" disa="366" severity="low"> +- <VMSinfo VKey="66913" SVKey="81403" VRelease="1"/> +- <title text="Oracle JRE 8 must default to the most secure built-in setting."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_enable_jws_locked" ownerid="JRE8-UX-000070" disa="366" severity="medium"> +- <VMSinfo VKey="66915" SVKey="81405" VRelease="1"/> +- <title text="Oracle JRE 8 must be set to allow Java Web Start (JWS) applications."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_disable_untrusted_sources_locked" ownerid="JRE8-UX-000080" disa="1695" severity="medium"> +- <VMSinfo VKey="66917" SVKey="81407" VRelease="1"/> +- <title text="Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_lock_untrusted_sources_locked" ownerid="JRE8-UX-000090" disa="1695" severity="medium"> +- <VMSinfo VKey="66919" SVKey="81409" VRelease="1"/> +- <title text="Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_validation_ocsp_locked" ownerid="JRE8-UX-000100" disa="185" severity="medium"> +- <VMSinfo VKey="66921" SVKey="81411" VRelease="1"/> +- <title text="Oracle JRE 8 must set the option to enable online certificate validation."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_blacklist_check_locked" ownerid="JRE8-UX-000110" disa="1169" severity="medium"> +- <VMSinfo VKey="66923" SVKey="81413" VRelease="1"/> +- <title text="Oracle JRE 8 must prevent the download of prohibited mobile code."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_accepted_sites_properties" ownerid="JRE8-UX-000120" disa="1774" severity="medium"> +- <VMSinfo VKey="66925" SVKey="81415" VRelease="2"/> +- <title text="Oracle JRE 8 must enable the option to use an accepted sites list."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_accepted_sites_exists" ownerid="JRE8-UX-000130" disa="1774" severity="medium"> +- <VMSinfo VKey="66927" SVKey="81417" VRelease="1"/> +- <title text="Oracle JRE 8 must have an exception.sites file present."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_validation_crl_locked" ownerid="JRE8-UX-000150" disa="1991" severity="medium"> +- <VMSinfo VKey="66929" SVKey="81419" VRelease="1"/> +- <title text="Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_security_revocation_check_locked" ownerid="JRE8-UX-000160" disa="1991" severity="medium"> +- <VMSinfo VKey="66931" SVKey="81421" VRelease="1"/> +- <title text="Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_insecure_prompt" ownerid="JRE8-UX-000170" disa="2460" severity="medium"> +- <VMSinfo VKey="66933" SVKey="81423" VRelease="1"/> +- <title text="Oracle JRE 8 must prompt the user for action prior to executing mobile code."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_updated" ownerid="JRE8-UX-000180" disa="2605" severity="high"> +- <VMSinfo VKey="66937" SVKey="81427" VRelease="1"/> +- <title text="The version of Oracle JRE 8 running on the system must be the most current available."/> +- </overlay> +- <overlay owner="disastig" ruleid="java_jre_clean_previous_version" ownerid="JRE8-UX-000190" disa="2617" severity="medium"> +- <VMSinfo VKey="66935" SVKey="81425" VRelease="1"/> +- <title text="Oracle JRE 8 must remove previous versions when the latest version is installed."/> +- </overlay> +-</overlays> +diff --git a/products/ol7/overlays/stig_overlay.xml b/products/ol7/overlays/stig_overlay.xml +deleted file mode 100644 +index 49b5d523eba..00000000000 +--- a/products/ol7/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,1003 +0,0 @@ +-<?xml version="1.0" encoding="UTF-8"?> +-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> +- <overlay owner="disastig" ruleid="rpm_verify_ownership" ownerid="OL07-00-010010" disa="1496" severity="high"> +- <VMSinfo VKey="221652" SVKey="221652r6469" VRelease="r646955"/> +- <title text="The Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/> +- </overlay> +- <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="OL07-00-010020" disa="1749" severity="high"> +- <VMSinfo VKey="221653" SVKey="221653r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="OL07-00-010030" disa="50" severity="medium"> +- <VMSinfo VKey="221654" SVKey="221654r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="OL07-00-010040" disa="48" severity="medium"> +- <VMSinfo VKey="221655" SVKey="221655r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="OL07-00-010050" disa="48" severity="medium"> +- <VMSinfo VKey="221656" SVKey="221656r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="OL07-00-010060" disa="58" severity="medium"> +- <VMSinfo VKey="221657" SVKey="221657r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="OL07-00-010061" disa="1948" severity="medium"> +- <VMSinfo VKey="221658" SVKey="221658r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="OL07-00-010062" disa="57" severity="medium"> +- <VMSinfo VKey="221659" SVKey="221659r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="OL07-00-010070" disa="57" severity="medium"> +- <VMSinfo VKey="221660" SVKey="221660r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="OL07-00-010081" disa="57" severity="medium"> +- <VMSinfo VKey="221661" SVKey="221661r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="OL07-00-010082" disa="57" severity="medium"> +- <VMSinfo VKey="221662" SVKey="221662r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="OL07-00-010100" disa="57" severity="medium"> +- <VMSinfo VKey="221664" SVKey="221664r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="OL07-00-010101" disa="57" severity="medium"> +- <VMSinfo VKey="221665" SVKey="221665r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="OL07-00-010110" disa="57" severity="medium"> +- <VMSinfo VKey="221666" SVKey="221666r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="OL07-00-010118" disa="192" severity="medium"> +- <VMSinfo VKey="221667" SVKey="221667r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="OL07-00-010119" disa="192" severity="medium"> +- <VMSinfo VKey="221668" SVKey="221668r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="OL07-00-010120" disa="192" severity="medium"> +- <VMSinfo VKey="221669" SVKey="221669r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="OL07-00-010130" disa="193" severity="medium"> +- <VMSinfo VKey="221670" SVKey="221670r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="OL07-00-010140" disa="194" severity="medium"> +- <VMSinfo VKey="221671" SVKey="221671r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="OL07-00-010150" disa="1619" severity="medium"> +- <VMSinfo VKey="221672" SVKey="221672r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="OL07-00-010160" disa="195" severity="medium"> +- <VMSinfo VKey="221673" SVKey="221673r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="OL07-00-010170" disa="195" severity="medium"> +- <VMSinfo VKey="221674" SVKey="221674r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="OL07-00-010180" disa="195" severity="medium"> +- <VMSinfo VKey="221675" SVKey="221675r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="OL07-00-010190" disa="195" severity="medium"> +- <VMSinfo VKey="221676" SVKey="221676r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="OL07-00-010200" disa="196" severity="medium"> +- <VMSinfo VKey="221677" SVKey="221677r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="OL07-00-010210" disa="196" severity="medium"> +- <VMSinfo VKey="221678" SVKey="221678r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="OL07-00-010220" disa="196" severity="medium"> +- <VMSinfo VKey="221680" SVKey="221680r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="OL07-00-010230" disa="198" severity="medium"> +- <VMSinfo VKey="221681" SVKey="221681r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="OL07-00-010240" disa="198" severity="medium"> +- <VMSinfo VKey="221682" SVKey="221682r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="OL07-00-010250" disa="199" severity="medium"> +- <VMSinfo VKey="221683" SVKey="221683r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="OL07-00-010260" disa="199" severity="medium"> +- <VMSinfo VKey="221684" SVKey="221684r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="OL07-00-010270" disa="200" severity="medium"> +- <VMSinfo VKey="221685" SVKey="221685r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="OL07-00-010280" disa="205" severity="medium"> +- <VMSinfo VKey="221686" SVKey="221686r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="OL07-00-010290" disa="366" severity="high"> +- <VMSinfo VKey="221687" SVKey="221687r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have accounts configured with blank or null passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="OL07-00-010300" disa="766" severity="high"> +- <VMSinfo VKey="221688" SVKey="221688r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="OL07-00-010310" disa="795" severity="medium"> +- <VMSinfo VKey="221689" SVKey="221689r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="OL07-00-010320" disa="44" severity="medium"> +- <VMSinfo VKey="221690" SVKey="221690r6037" VRelease="r603787"/> +- <title text="The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="OL07-00-010330" disa="2238" severity="medium"> +- <VMSinfo VKey="221691" SVKey="221691r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="OL07-00-010340" disa="2038" severity="medium"> +- <VMSinfo VKey="221692" SVKey="221692r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_restrict_privilege_elevation_to_authorized" ownerid="OL07-00-010341" disa="366" severity="medium"> +- <VMSinfo VKey="237627" SVKey="237627r6469" VRelease="r646964"/> +- <title text="The Oracle Linux operating system must restrict privilege elevation to authorized personnel."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="OL07-00-010342" disa="2227" severity="medium"> +- <VMSinfo VKey="237628" SVKey="237628r6469" VRelease="r646967"/> +- <title text="The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo"."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="OL07-00-010343" disa="2038" severity="medium"> +- <VMSinfo VKey="237629" SVKey="237629r6469" VRelease="r646970"/> +- <title text="The Oracle Linux operating system must require re-authentication when using the "sudo" command."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="OL07-00-010350" disa="2038" severity="medium"> +- <VMSinfo VKey="228569" SVKey="228569r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="OL07-00-010430" disa="366" severity="medium"> +- <VMSinfo VKey="221693" SVKey="221693r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/> +- </overlay> +- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="OL07-00-010440" disa="366" severity="high"> +- <VMSinfo VKey="221694" SVKey="221694r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="OL07-00-010450" disa="366" severity="high"> +- <VMSinfo VKey="221695" SVKey="221695r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not allow an unrestricted logon to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="OL07-00-010460" disa="366" severity="medium"> +- <VMSinfo VKey="221696" SVKey="221696r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not allow users to override SSH environment variables."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_host_auth" ownerid="OL07-00-010470" disa="366" severity="medium"> +- <VMSinfo VKey="221697" SVKey="221697r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="OL07-00-010480" disa="213" severity="high"> +- <VMSinfo VKey="221698" SVKey="221698r6032" VRelease="r603260"/> +- <title text="Oracle Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="OL07-00-010481" disa="213" severity="medium"> +- <VMSinfo VKey="221699" SVKey="221699r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_password" ownerid="OL07-00-010482" disa="213" severity="high"> +- <VMSinfo VKey="221700" SVKey="221700r6032" VRelease="r603260"/> +- <title text="Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="OL07-00-010490" disa="213" severity="high"> +- <VMSinfo VKey="221701" SVKey="221701r6032" VRelease="r603260"/> +- <title text="Oracle Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="OL07-00-010491" disa="213" severity="high"> +- <VMSinfo VKey="221702" SVKey="221702r6032" VRelease="r603260"/> +- <title text="Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_auth" ownerid="OL07-00-010500" disa="764" severity="medium"> +- <VMSinfo VKey="221703" SVKey="221703r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="OL07-00-020000" disa="381" severity="high"> +- <VMSinfo VKey="221704" SVKey="221704r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have the rsh-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="OL07-00-020010" disa="381" severity="high"> +- <VMSinfo VKey="221705" SVKey="221705r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have the ypserv package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="OL07-00-020019" disa="1233" severity="medium"> +- <VMSinfo VKey="221706" SVKey="221706r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must have a host-based intrusion detection tool installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="OL07-00-020020" disa="2235" severity="medium"> +- <VMSinfo VKey="221707" SVKey="221707r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="OL07-00-020030" disa="1744" severity="medium"> +- <VMSinfo VKey="221708" SVKey="221708r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="OL07-00-020040" disa="1744" severity="medium"> +- <VMSinfo VKey="221709" SVKey="221709r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="OL07-00-020050" disa="1749" severity="high"> +- <VMSinfo VKey="221710" SVKey="221710r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="OL07-00-020060" disa="1749" severity="high"> +- <VMSinfo VKey="221711" SVKey="221711r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="OL07-00-020100" disa="1958" severity="medium"> +- <VMSinfo VKey="221712" SVKey="221712r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured to disable USB mass storage."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="OL07-00-020101" disa="1958" severity="medium"> +- <VMSinfo VKey="221713" SVKey="221713r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="OL07-00-020110" disa="778" severity="medium"> +- <VMSinfo VKey="221714" SVKey="221714r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must disable the file system automounter unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="OL07-00-020111" disa="1958" severity="medium"> +- <VMSinfo VKey="228567" SVKey="228567r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must disable the graphical user interface automounter unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="OL07-00-020200" disa="2617" severity="low"> +- <VMSinfo VKey="221715" SVKey="221715r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must remove all software components after updated versions have been installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_state" ownerid="OL07-00-020210" disa="2165" severity="medium"> +- <VMSinfo VKey="221716" SVKey="221716r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must enable SELinux."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="OL07-00-020220" disa="2696" severity="medium"> +- <VMSinfo VKey="228570" SVKey="228570r6064" VRelease="r606409"/> +- <title text="The Oracle Linux operating system must enable the SELinux targeted policy."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="OL07-00-020230" disa="366" severity="high"> +- <VMSinfo VKey="221717" SVKey="221717r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="OL07-00-020231" disa="366" severity="high"> +- <VMSinfo VKey="228565" SVKey="228565r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="OL07-00-020240" disa="366" severity="medium"> +- <VMSinfo VKey="221718" SVKey="221718r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/> +- </overlay> +- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="OL07-00-020250" disa="366" severity="high"> +- <VMSinfo VKey="221719" SVKey="221719r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be a vendor supported release."/> +- </overlay> +- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="OL07-00-020260" disa="366" severity="medium"> +- <VMSinfo VKey="221720" SVKey="221720r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system security patches and updates must be installed and up to date."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="OL07-00-020270" disa="366" severity="medium"> +- <VMSinfo VKey="221721" SVKey="221721r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have unnecessary accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="OL07-00-020300" disa="764" severity="low"> +- <VMSinfo VKey="221722" SVKey="221722r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="OL07-00-020310" disa="366" severity="high"> +- <VMSinfo VKey="221723" SVKey="221723r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="OL07-00-020320" disa="366" severity="medium"> +- <VMSinfo VKey="221724" SVKey="221724r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all files and directories have a valid owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="OL07-00-020330" disa="366" severity="medium"> +- <VMSinfo VKey="221725" SVKey="221725r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all files and directories have a valid group owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="OL07-00-020610" disa="366" severity="medium"> +- <VMSinfo VKey="221727" SVKey="221727r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="OL07-00-020620" disa="366" severity="medium"> +- <VMSinfo VKey="221728" SVKey="221728r6037" VRelease="r603789"/> +- <title text="The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="OL07-00-020630" disa="366" severity="medium"> +- <VMSinfo VKey="221729" SVKey="221729r6037" VRelease="r603791"/> +- <title text="The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="OL07-00-020640" disa="366" severity="medium"> +- <VMSinfo VKey="221730" SVKey="221730r6037" VRelease="r603793"/> +- <title text="The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="OL07-00-020650" disa="366" severity="medium"> +- <VMSinfo VKey="221731" SVKey="221731r6037" VRelease="r603795"/> +- <title text="The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="OL07-00-020660" disa="366" severity="medium"> +- <VMSinfo VKey="221732" SVKey="221732r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="OL07-00-020670" disa="366" severity="medium"> +- <VMSinfo VKey="221733" SVKey="221733r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="OL07-00-020680" disa="366" severity="medium"> +- <VMSinfo VKey="221734" SVKey="221734r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="OL07-00-020690" disa="366" severity="medium"> +- <VMSinfo VKey="221735" SVKey="221735r6037" VRelease="r603797"/> +- <title text="The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="OL07-00-020700" disa="366" severity="medium"> +- <VMSinfo VKey="221736" SVKey="221736r6037" VRelease="r603799"/> +- <title text="The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="OL07-00-020710" disa="366" severity="medium"> +- <VMSinfo VKey="221737" SVKey="221737r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="OL07-00-020720" disa="366" severity="medium"> +- <VMSinfo VKey="221738" SVKey="221738r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="OL07-00-020730" disa="366" severity="medium"> +- <VMSinfo VKey="221739" SVKey="221739r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="OL07-00-020900" disa="366" severity="medium"> +- <VMSinfo VKey="221740" SVKey="221740r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="OL07-00-021000" disa="366" severity="medium"> +- <VMSinfo VKey="221741" SVKey="221741r6038" VRelease="r603801"/> +- <title text="The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="OL07-00-021010" disa="366" severity="medium"> +- <VMSinfo VKey="221742" SVKey="221742r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="OL07-00-021020" disa="366" severity="medium"> +- <VMSinfo VKey="221743" SVKey="221743r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="OL07-00-021021" disa="366" severity="medium"> +- <VMSinfo VKey="221744" SVKey="221744r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="OL07-00-021024" disa="1764" severity="low"> +- <VMSinfo VKey="221747" SVKey="221747r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must mount /dev/shm with secure options."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="OL07-00-021030" disa="366" severity="medium"> +- <VMSinfo VKey="221748" SVKey="221748r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="OL07-00-021031" disa="366" severity="medium"> +- <VMSinfo VKey="228566" SVKey="228566r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="OL07-00-021040" disa="366" severity="medium"> +- <VMSinfo VKey="221749" SVKey="221749r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="OL07-00-021100" disa="366" severity="medium"> +- <VMSinfo VKey="221750" SVKey="221750r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must have cron logging implemented."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="OL07-00-021110" disa="366" severity="medium"> +- <VMSinfo VKey="221751" SVKey="221751r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="OL07-00-021120" disa="366" severity="medium"> +- <VMSinfo VKey="221752" SVKey="221752r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="OL07-00-021300" disa="366" severity="medium"> +- <VMSinfo VKey="221753" SVKey="221753r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must disable Kernel core dumps unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_home" ownerid="OL07-00-021310" disa="366" severity="low"> +- <VMSinfo VKey="221754" SVKey="221754r6038" VRelease="r603803"/> +- <title text="The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var" ownerid="OL07-00-021320" disa="366" severity="low"> +- <VMSinfo VKey="221755" SVKey="221755r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a separate file system for /var."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="OL07-00-021330" disa="1849" severity="low"> +- <VMSinfo VKey="221756" SVKey="221756r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a separate file system for the system audit data path large enough to hold at least one week of audit data."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="OL07-00-021340" disa="366" severity="low"> +- <VMSinfo VKey="221757" SVKey="221757r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a separate file system for /tmp (or equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="OL07-00-021350" disa="2476" severity="high"> +- <VMSinfo VKey="221758" SVKey="221758r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="OL07-00-021600" disa="366" severity="low"> +- <VMSinfo VKey="221759" SVKey="221759r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="OL07-00-021610" disa="366" severity="low"> +- <VMSinfo VKey="221760" SVKey="221760r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="OL07-00-021620" disa="366" severity="medium"> +- <VMSinfo VKey="221761" SVKey="221761r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_no_removeable_media" ownerid="OL07-00-021700" disa="1813" severity="medium"> +- <VMSinfo VKey="221762" SVKey="221762r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="OL07-00-021710" disa="381" severity="high"> +- <VMSinfo VKey="221763" SVKey="221763r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have the telnet-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="OL07-00-030000" disa="135" severity="medium"> +- <VMSinfo VKey="221764" SVKey="221764r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="OL07-00-030010" disa="139" severity="medium"> +- <VMSinfo VKey="221765" SVKey="221765r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="OL07-00-030201" disa="1851" severity="medium"> +- <VMSinfo VKey="221767" SVKey="221767r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="OL07-00-030210" disa="1851" severity="medium"> +- <VMSinfo VKey="221768" SVKey="221768r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must take appropriate action when the remote logging buffer is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_name_format" ownerid="OL07-00-030211" disa="1851" severity="medium"> +- <VMSinfo VKey="221769" SVKey="221769r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="OL07-00-030300" disa="1851" severity="medium"> +- <VMSinfo VKey="221770" SVKey="221770r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="OL07-00-030310" disa="1851" severity="medium"> +- <VMSinfo VKey="221771" SVKey="221771r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="OL07-00-030320" disa="1851" severity="medium"> +- <VMSinfo VKey="221772" SVKey="221772r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="OL07-00-030321" disa="1851" severity="medium"> +- <VMSinfo VKey="221773" SVKey="221773r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="OL07-00-030330" disa="1855" severity="medium"> +- <VMSinfo VKey="221774" SVKey="221774r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_admin_space_left_action" ownerid="OL07-00-030340" disa="1855" severity="medium"> +- <VMSinfo VKey="221775" SVKey="221775r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="OL07-00-030350" disa="1855" severity="medium"> +- <VMSinfo VKey="221776" SVKey="221776r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="OL07-00-030360" disa="2234" severity="medium"> +- <VMSinfo VKey="221777" SVKey="221777r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all executions of privileged functions."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="OL07-00-030370" disa="126" severity="medium"> +- <VMSinfo VKey="221778" SVKey="221778r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the chown syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="OL07-00-030380" disa="172" severity="medium"> +- <VMSinfo VKey="221779" SVKey="221779r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the fchown syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="OL07-00-030390" disa="126" severity="medium"> +- <VMSinfo VKey="221780" SVKey="221780r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the lchown syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="OL07-00-030400" disa="172" severity="medium"> +- <VMSinfo VKey="221781" SVKey="221781r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the fchownat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="OL07-00-030410" disa="172" severity="medium"> +- <VMSinfo VKey="221782" SVKey="221782r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the chmod syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="OL07-00-030420" disa="172" severity="medium"> +- <VMSinfo VKey="221783" SVKey="221783r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the fchmod syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="OL07-00-030430" disa="172" severity="medium"> +- <VMSinfo VKey="221784" SVKey="221784r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the fchmodat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="OL07-00-030440" disa="172" severity="medium"> +- <VMSinfo VKey="221785" SVKey="221785r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the setxattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="OL07-00-030450" disa="172" severity="medium"> +- <VMSinfo VKey="221786" SVKey="221786r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the fsetxattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="OL07-00-030460" disa="172" severity="medium"> +- <VMSinfo VKey="221787" SVKey="221787r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the lsetxattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="OL07-00-030470" disa="172" severity="medium"> +- <VMSinfo VKey="221788" SVKey="221788r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the removexattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="OL07-00-030480" disa="172" severity="medium"> +- <VMSinfo VKey="221789" SVKey="221789r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the fremovexattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="OL07-00-030490" disa="172" severity="medium"> +- <VMSinfo VKey="221790" SVKey="221790r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the lremovexattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="OL07-00-030500" disa="2884" severity="medium"> +- <VMSinfo VKey="221791" SVKey="221791r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the creat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="OL07-00-030510" disa="172" severity="medium"> +- <VMSinfo VKey="221792" SVKey="221792r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the open syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="OL07-00-030520" disa="2884" severity="medium"> +- <VMSinfo VKey="221793" SVKey="221793r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the openat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="OL07-00-030530" disa="172" severity="medium"> +- <VMSinfo VKey="221794" SVKey="221794r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the open_by_handle_at syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="OL07-00-030540" disa="2884" severity="medium"> +- <VMSinfo VKey="221795" SVKey="221795r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the truncate syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="OL07-00-030550" disa="172" severity="medium"> +- <VMSinfo VKey="221796" SVKey="221796r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the ftruncate syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="OL07-00-030560" disa="172" severity="medium"> +- <VMSinfo VKey="221797" SVKey="221797r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the semanage command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="OL07-00-030570" disa="2884" severity="medium"> +- <VMSinfo VKey="221798" SVKey="221798r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the setsebool command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="OL07-00-030580" disa="2884" severity="medium"> +- <VMSinfo VKey="221799" SVKey="221799r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the chcon command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="OL07-00-030590" disa="2884" severity="medium"> +- <VMSinfo VKey="221800" SVKey="221800r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the setfiles command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="OL07-00-030610" disa="172" severity="medium"> +- <VMSinfo VKey="221801" SVKey="221801r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all unsuccessful account access events."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="OL07-00-030620" disa="172" severity="medium"> +- <VMSinfo VKey="221802" SVKey="221802r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all successful account access events."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="OL07-00-030630" disa="135" severity="medium"> +- <VMSinfo VKey="221803" SVKey="221803r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the passwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="OL07-00-030640" disa="135" severity="medium"> +- <VMSinfo VKey="221804" SVKey="221804r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the unix_chkpwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="OL07-00-030650" disa="135" severity="medium"> +- <VMSinfo VKey="221805" SVKey="221805r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the gpasswd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="OL07-00-030660" disa="135" severity="medium"> +- <VMSinfo VKey="221806" SVKey="221806r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the chage command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="OL07-00-030670" disa="135" severity="medium"> +- <VMSinfo VKey="221807" SVKey="221807r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the userhelper command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="OL07-00-030680" disa="172" severity="medium"> +- <VMSinfo VKey="221808" SVKey="221808r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the su command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="OL07-00-030690" disa="130" severity="medium"> +- <VMSinfo VKey="221809" SVKey="221809r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the sudo command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="OL07-00-030700" disa="172" severity="medium"> +- <VMSinfo VKey="221810" SVKey="221810r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="OL07-00-030710" disa="172" severity="medium"> +- <VMSinfo VKey="221811" SVKey="221811r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the newgrp command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="OL07-00-030720" disa="130" severity="medium"> +- <VMSinfo VKey="221812" SVKey="221812r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the chsh command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="OL07-00-030740" disa="2884" severity="medium"> +- <VMSinfo VKey="221813" SVKey="221813r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the mount command and syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="OL07-00-030750" disa="135" severity="medium"> +- <VMSinfo VKey="221814" SVKey="221814r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the umount command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="OL07-00-030760" disa="135" severity="medium"> +- <VMSinfo VKey="221815" SVKey="221815r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the postdrop command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="OL07-00-030770" disa="135" severity="medium"> +- <VMSinfo VKey="221816" SVKey="221816r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the postqueue command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="OL07-00-030780" disa="135" severity="medium"> +- <VMSinfo VKey="221817" SVKey="221817r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the ssh-keysign command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="OL07-00-030800" disa="135" severity="medium"> +- <VMSinfo VKey="221818" SVKey="221818r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the crontab command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="OL07-00-030810" disa="172" severity="medium"> +- <VMSinfo VKey="221819" SVKey="221819r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the pam_timestamp_check command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="OL07-00-030819" disa="172" severity="medium"> +- <VMSinfo VKey="221820" SVKey="221820r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the create_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="OL07-00-030820" disa="172" severity="medium"> +- <VMSinfo VKey="221821" SVKey="221821r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the init_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="OL07-00-030821" disa="172" severity="medium"> +- <VMSinfo VKey="221822" SVKey="221822r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the finit_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="OL07-00-030830" disa="172" severity="medium"> +- <VMSinfo VKey="221823" SVKey="221823r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the delete_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="OL07-00-030840" disa="172" severity="medium"> +- <VMSinfo VKey="221824" SVKey="221824r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the kmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="OL07-00-030870" disa="1405" severity="medium"> +- <VMSinfo VKey="221825" SVKey="221825r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="OL07-00-030871" disa="18" severity="medium"> +- <VMSinfo VKey="221826" SVKey="221826r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="OL07-00-030872" disa="18" severity="medium"> +- <VMSinfo VKey="221827" SVKey="221827r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="OL07-00-030873" disa="18" severity="medium"> +- <VMSinfo VKey="221828" SVKey="221828r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="OL07-00-030874" disa="18" severity="medium"> +- <VMSinfo VKey="221829" SVKey="221829r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="OL07-00-030880" disa="2884" severity="medium"> +- <VMSinfo VKey="221830" SVKey="221830r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the rename syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="OL07-00-030890" disa="172" severity="medium"> +- <VMSinfo VKey="221831" SVKey="221831r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the renameat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="OL07-00-030900" disa="2884" severity="medium"> +- <VMSinfo VKey="221832" SVKey="221832r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the rmdir syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="OL07-00-030910" disa="172" severity="medium"> +- <VMSinfo VKey="221833" SVKey="221833r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the unlink syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="OL07-00-030920" disa="2884" severity="medium"> +- <VMSinfo VKey="221834" SVKey="221834r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must audit all uses of the unlinkat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="OL07-00-031000" disa="366" severity="medium"> +- <VMSinfo VKey="221835" SVKey="221835r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must send rsyslog output to a log aggregation server."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="OL07-00-031010" disa="366" severity="medium"> +- <VMSinfo VKey="221836" SVKey="221836r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="OL07-00-032000" disa="366" severity="high"> +- <VMSinfo VKey="221837" SVKey="221837r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a virus scan program."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="OL07-00-040000" disa="54" severity="low"> +- <VMSinfo VKey="221838" SVKey="221838r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="OL07-00-040100" disa="2314" severity="medium"> +- <VMSinfo VKey="221839" SVKey="221839r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="OL07-00-040110" disa="68" severity="medium"> +- <VMSinfo VKey="221840" SVKey="221840r6038" VRelease="r603806"/> +- <title text="The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="OL07-00-040160" disa="1133" severity="medium"> +- <VMSinfo VKey="221841" SVKey="221841r6469" VRelease="r646958"/> +- <title text="The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="OL07-00-040170" disa="48" severity="medium"> +- <VMSinfo VKey="221842" SVKey="221842r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="OL07-00-040180" disa="1453" severity="medium"> +- <VMSinfo VKey="221843" SVKey="221843r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="OL07-00-040190" disa="1453" severity="medium"> +- <VMSinfo VKey="221844" SVKey="221844r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="OL07-00-040200" disa="1453" severity="medium"> +- <VMSinfo VKey="221845" SVKey="221845r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="OL07-00-040201" disa="2824" severity="medium"> +- <VMSinfo VKey="221846" SVKey="221846r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement virtual address space randomization."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="OL07-00-040300" disa="2422" severity="medium"> +- <VMSinfo VKey="221847" SVKey="221847r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all networked systems have SSH installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="OL07-00-040310" disa="2418" severity="medium"> +- <VMSinfo VKey="221848" SVKey="221848r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="OL07-00-040320" disa="1133" severity="medium"> +- <VMSinfo VKey="221849" SVKey="221849r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="OL07-00-040330" disa="366" severity="medium"> +- <VMSinfo VKey="221850" SVKey="221850r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="OL07-00-040340" disa="1133" severity="medium"> +- <VMSinfo VKey="221851" SVKey="221851r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="OL07-00-040350" disa="366" severity="medium"> +- <VMSinfo VKey="221852" SVKey="221852r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="OL07-00-040360" disa="366" severity="medium"> +- <VMSinfo VKey="221853" SVKey="221853r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="OL07-00-040370" disa="366" severity="medium"> +- <VMSinfo VKey="221854" SVKey="221854r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="OL07-00-040380" disa="366" severity="medium"> +- <VMSinfo VKey="221855" SVKey="221855r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="OL07-00-040390" disa="197" severity="high"> +- <VMSinfo VKey="221856" SVKey="221856r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="OL07-00-040400" disa="1453" severity="medium"> +- <VMSinfo VKey="221857" SVKey="221857r6038" VRelease="r603809"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="OL07-00-040410" disa="366" severity="medium"> +- <VMSinfo VKey="221858" SVKey="221858r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="OL07-00-040420" disa="366" severity="medium"> +- <VMSinfo VKey="221859" SVKey="221859r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="OL07-00-040430" disa="1813" severity="medium"> +- <VMSinfo VKey="221860" SVKey="221860r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="OL07-00-040440" disa="1813" severity="medium"> +- <VMSinfo VKey="221861" SVKey="221861r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="OL07-00-040450" disa="366" severity="medium"> +- <VMSinfo VKey="221862" SVKey="221862r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="OL07-00-040460" disa="366" severity="medium"> +- <VMSinfo VKey="221863" SVKey="221863r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="OL07-00-040470" disa="366" severity="medium"> +- <VMSinfo VKey="221864" SVKey="221864r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="OL07-00-040500" disa="2046" severity="medium"> +- <VMSinfo VKey="221866" SVKey="221866r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_invalid_ratelimit" ownerid="OL07-00-040510" disa="2385" severity="medium"> +- <VMSinfo VKey="221867" SVKey="221867r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="OL07-00-040520" disa="366" severity="medium"> +- <VMSinfo VKey="221868" SVKey="221868r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must enable an application firewall, if available."/> +- </overlay> +- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="OL07-00-040530" disa="366" severity="low"> +- <VMSinfo VKey="221869" SVKey="221869r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must display the date and time of the last successful account logon upon logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="OL07-00-040540" disa="366" severity="high"> +- <VMSinfo VKey="221870" SVKey="221870r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not contain .shosts files."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="OL07-00-040550" disa="366" severity="high"> +- <VMSinfo VKey="221871" SVKey="221871r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not contain shosts.equiv files."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="OL07-00-040600" disa="366" severity="low"> +- <VMSinfo VKey="221872" SVKey="221872r6032" VRelease="r603260"/> +- <title text="For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="OL07-00-040610" disa="366" severity="medium"> +- <VMSinfo VKey="221873" SVKey="221873r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="OL07-00-040611" disa="366" severity="medium"> +- <VMSinfo VKey="221874" SVKey="221874r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="OL07-00-040612" disa="366" severity="medium"> +- <VMSinfo VKey="221875" SVKey="221875r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="OL07-00-040620" disa="366" severity="medium"> +- <VMSinfo VKey="221876" SVKey="221876r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="OL07-00-040630" disa="366" severity="medium"> +- <VMSinfo VKey="221877" SVKey="221877r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="OL07-00-040640" disa="366" severity="medium"> +- <VMSinfo VKey="221878" SVKey="221878r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="OL07-00-040641" disa="366" severity="medium"> +- <VMSinfo VKey="221879" SVKey="221879r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="OL07-00-040650" disa="366" severity="medium"> +- <VMSinfo VKey="221880" SVKey="221880r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="OL07-00-040660" disa="366" severity="medium"> +- <VMSinfo VKey="221881" SVKey="221881r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="OL07-00-040670" disa="366" severity="medium"> +- <VMSinfo VKey="221882" SVKey="221882r6032" VRelease="r603260"/> +- <title text="Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode."/> +- </overlay> +- <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="OL07-00-040680" disa="366" severity="medium"> +- <VMSinfo VKey="221883" SVKey="221883r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured to prevent unrestricted mail relaying."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="OL07-00-040690" disa="366" severity="high"> +- <VMSinfo VKey="221884" SVKey="221884r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="OL07-00-040700" disa="366" severity="high"> +- <VMSinfo VKey="221885" SVKey="221885r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="OL07-00-040710" disa="366" severity="medium"> +- <VMSinfo VKey="221886" SVKey="221886r6038" VRelease="r603812"/> +- <title text="The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="OL07-00-040711" disa="366" severity="medium"> +- <VMSinfo VKey="233306" SVKey="233306r6032" VRelease="r603298"/> +- <title text="The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/> +- </overlay> +- <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="OL07-00-040720" disa="366" severity="medium"> +- <VMSinfo VKey="221887" SVKey="221887r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="OL07-00-040730" disa="366" severity="medium"> +- <VMSinfo VKey="221888" SVKey="221888r6469" VRelease="r646961"/> +- <title text="The Oracle Linux operating system must not have a graphical display manager installed unless approved."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="OL07-00-040740" disa="366" severity="medium"> +- <VMSinfo VKey="221889" SVKey="221889r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not be performing packet forwarding unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="OL07-00-040750" disa="366" severity="medium"> +- <VMSinfo VKey="221890" SVKey="221890r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/> +- </overlay> +- <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="OL07-00-040800" disa="366" severity="high"> +- <VMSinfo VKey="221891" SVKey="221891r6032" VRelease="r603260"/> +- <title text="SNMP community strings on the Oracle Linux operating system must be changed from the default."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="OL07-00-040810" disa="366" severity="medium"> +- <VMSinfo VKey="221892" SVKey="221892r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/> +- </overlay> +- <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="OL07-00-040820" disa="366" severity="medium"> +- <VMSinfo VKey="221893" SVKey="221893r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not have unauthorized IP tunnels configured."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="OL07-00-040830" disa="366" severity="medium"> +- <VMSinfo VKey="221894" SVKey="221894r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must not forward IPv6 source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="OL07-00-041001" disa="1948" severity="medium"> +- <VMSinfo VKey="221895" SVKey="221895r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must have the required packages for multifactor authentication installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="OL07-00-041002" disa="1954" severity="medium"> +- <VMSinfo VKey="221896" SVKey="221896r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="OL07-00-041003" disa="1948" severity="medium"> +- <VMSinfo VKey="221897" SVKey="221897r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must implement certificate status checking for PKI authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="OL07-00-041010" disa="2421" severity="medium"> +- <VMSinfo VKey="221898" SVKey="221898r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must be configured so that all wireless network adapters are disabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="OL07-00-910055" disa="164" severity="medium"> +- <VMSinfo VKey="221899" SVKey="221899r6032" VRelease="r603260"/> +- <title text="The Oracle Linux operating system must protect audit information from unauthorized read, modification, or deletion."/> +- </overlay> +-</overlays> +diff --git a/products/rhel7/overlays/stig_overlay.xml b/products/rhel7/overlays/stig_overlay.xml +deleted file mode 100644 +index 2bf837c8b3b..00000000000 +--- a/products/rhel7/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,999 +0,0 @@ +-<?xml version="1.0" encoding="UTF-8"?> +-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> +- <overlay owner="disastig" ruleid="rpm_verify_ownership" ownerid="RHEL-07-010010" disa="2235" severity="high"> +- <VMSinfo VKey="204392" SVKey="204392r6468" VRelease="r646841"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/> +- </overlay> +- <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high"> +- <VMSinfo VKey="214799" SVKey="214799r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-07-010030" disa="48" severity="medium"> +- <VMSinfo VKey="204393" SVKey="204393r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="RHEL-07-010040" disa="48" severity="medium"> +- <VMSinfo VKey="204394" SVKey="204394r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-07-010050" disa="48" severity="medium"> +- <VMSinfo VKey="204395" SVKey="204395r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-07-010060" disa="56" severity="medium"> +- <VMSinfo VKey="204396" SVKey="204396r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="RHEL-07-010061" disa="1954" severity="medium"> +- <VMSinfo VKey="204397" SVKey="204397r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="RHEL-07-010062" disa="57" severity="medium"> +- <VMSinfo VKey="214937" SVKey="214937r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-07-010070" disa="57" severity="medium"> +- <VMSinfo VKey="204398" SVKey="204398r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="RHEL-07-010081" disa="57" severity="medium"> +- <VMSinfo VKey="204399" SVKey="204399r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="RHEL-07-010082" disa="57" severity="medium"> +- <VMSinfo VKey="204400" SVKey="204400r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="RHEL-07-010100" disa="57" severity="medium"> +- <VMSinfo VKey="204402" SVKey="204402r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="RHEL-07-010101" disa="57" severity="medium"> +- <VMSinfo VKey="204403" SVKey="204403r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="RHEL-07-010110" disa="57" severity="medium"> +- <VMSinfo VKey="204404" SVKey="204404r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010118" disa="192" severity="medium"> +- <VMSinfo VKey="204405" SVKey="204405r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010119" disa="192" severity="medium"> +- <VMSinfo VKey="204406" SVKey="204406r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-07-010120" disa="192" severity="medium"> +- <VMSinfo VKey="204407" SVKey="204407r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-07-010130" disa="193" severity="medium"> +- <VMSinfo VKey="204408" SVKey="204408r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-07-010140" disa="194" severity="medium"> +- <VMSinfo VKey="204409" SVKey="204409r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-07-010150" disa="1619" severity="medium"> +- <VMSinfo VKey="204410" SVKey="204410r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-07-010160" disa="195" severity="medium"> +- <VMSinfo VKey="204411" SVKey="204411r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-07-010170" disa="195" severity="medium"> +- <VMSinfo VKey="204412" SVKey="204412r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-07-010180" disa="195" severity="medium"> +- <VMSinfo VKey="204413" SVKey="204413r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-07-010190" disa="195" severity="medium"> +- <VMSinfo VKey="204414" SVKey="204414r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-07-010200" disa="196" severity="medium"> +- <VMSinfo VKey="204415" SVKey="204415r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-07-010210" disa="196" severity="medium"> +- <VMSinfo VKey="204416" SVKey="204416r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-07-010220" disa="196" severity="medium"> +- <VMSinfo VKey="204417" SVKey="204417r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-07-010230" disa="198" severity="medium"> +- <VMSinfo VKey="204418" SVKey="204418r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-07-010240" disa="198" severity="medium"> +- <VMSinfo VKey="204419" SVKey="204419r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-07-010250" disa="199" severity="medium"> +- <VMSinfo VKey="204420" SVKey="204420r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-07-010260" disa="199" severity="medium"> +- <VMSinfo VKey="204421" SVKey="204421r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-07-010270" disa="200" severity="medium"> +- <VMSinfo VKey="204422" SVKey="204422r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-07-010280" disa="205" severity="medium"> +- <VMSinfo VKey="204423" SVKey="204423r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-07-010290" disa="366" severity="high"> +- <VMSinfo VKey="204424" SVKey="204424r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-07-010300" disa="766" severity="high"> +- <VMSinfo VKey="204425" SVKey="204425r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-07-010310" disa="795" severity="medium"> +- <VMSinfo VKey="204426" SVKey="204426r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-07-010320" disa="2238" severity="medium"> +- <VMSinfo VKey="204427" SVKey="204427r6038" VRelease="r603824"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-07-010330" disa="2238" severity="medium"> +- <VMSinfo VKey="204428" SVKey="204428r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010340" disa="2038" severity="medium"> +- <VMSinfo VKey="204429" SVKey="204429r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_restrict_privilege_elevation_to_authorized" ownerid="RHEL-07-010341" disa="366" severity="medium"> +- <VMSinfo VKey="237633" SVKey="237633r6468" VRelease="r646850"/> +- <title text="The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="RHEL-07-010342" disa="2227" severity="medium"> +- <VMSinfo VKey="237634" SVKey="237634r6468" VRelease="r646853"/> +- <title text="The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo"."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010343" disa="2038" severity="medium"> +- <VMSinfo VKey="237635" SVKey="237635r6468" VRelease="r646856"/> +- <title text="The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium"> +- <VMSinfo VKey="204430" SVKey="204430r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-07-010430" disa="366" severity="medium"> +- <VMSinfo VKey="204431" SVKey="204431r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/> +- </overlay> +- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-07-010440" disa="366" severity="high"> +- <VMSinfo VKey="204432" SVKey="204432r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="RHEL-07-010450" disa="366" severity="high"> +- <VMSinfo VKey="204433" SVKey="204433r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-07-010460" disa="366" severity="medium"> +- <VMSinfo VKey="204434" SVKey="204434r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-07-010470" disa="366" severity="medium"> +- <VMSinfo VKey="204435" SVKey="204435r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-07-010480" disa="213" severity="high"> +- <VMSinfo VKey="204436" SVKey="204436r6032" VRelease="r603261"/> +- <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-07-010481" disa="213" severity="medium"> +- <VMSinfo VKey="204437" SVKey="204437r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_password" ownerid="RHEL-07-010482" disa="213" severity="high"> +- <VMSinfo VKey="204438" SVKey="204438r6032" VRelease="r603261"/> +- <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-07-010490" disa="213" severity="high"> +- <VMSinfo VKey="204439" SVKey="204439r6032" VRelease="r603261"/> +- <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="RHEL-07-010491" disa="213" severity="high"> +- <VMSinfo VKey="204440" SVKey="204440r6032" VRelease="r603261"/> +- <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-07-010500" disa="766" severity="medium"> +- <VMSinfo VKey="204441" SVKey="204441r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-07-020000" disa="381" severity="high"> +- <VMSinfo VKey="204442" SVKey="204442r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have the rsh-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="RHEL-07-020010" disa="381" severity="high"> +- <VMSinfo VKey="204443" SVKey="204443r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have the ypserv package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="RHEL-07-020019" disa="1263" severity="medium"> +- <VMSinfo VKey="214800" SVKey="214800r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2165" severity="medium"> +- <VMSinfo VKey="204444" SVKey="204444r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-07-020030" disa="1744" severity="medium"> +- <VMSinfo VKey="204445" SVKey="204445r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-07-020040" disa="1744" severity="medium"> +- <VMSinfo VKey="204446" SVKey="204446r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-07-020050" disa="1749" severity="high"> +- <VMSinfo VKey="204447" SVKey="204447r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-07-020060" disa="1749" severity="high"> +- <VMSinfo VKey="204448" SVKey="204448r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="366" severity="medium"> +- <VMSinfo VKey="204449" SVKey="204449r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-07-020101" disa="1958" severity="medium"> +- <VMSinfo VKey="204450" SVKey="204450r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="778" severity="medium"> +- <VMSinfo VKey="204451" SVKey="204451r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="366" severity="medium"> +- <VMSinfo VKey="219059" SVKey="219059r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-07-020200" disa="2617" severity="low"> +- <VMSinfo VKey="204452" SVKey="204452r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2165" severity="medium"> +- <VMSinfo VKey="204453" SVKey="204453r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must enable SELinux."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2696" severity="medium"> +- <VMSinfo VKey="204454" SVKey="204454r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-07-020230" disa="366" severity="high"> +- <VMSinfo VKey="204455" SVKey="204455r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-07-020231" disa="366" severity="high"> +- <VMSinfo VKey="204456" SVKey="204456r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-07-020240" disa="366" severity="medium"> +- <VMSinfo VKey="204457" SVKey="204457r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/> +- </overlay> +- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-07-020250" disa="366" severity="high"> +- <VMSinfo VKey="204458" SVKey="204458r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be a vendor supported release."/> +- </overlay> +- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-07-020260" disa="366" severity="medium"> +- <VMSinfo VKey="204459" SVKey="204459r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-020270" disa="366" severity="medium"> +- <VMSinfo VKey="204460" SVKey="204460r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-07-020300" disa="764" severity="low"> +- <VMSinfo VKey="204461" SVKey="204461r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-07-020310" disa="366" severity="high"> +- <VMSinfo VKey="204462" SVKey="204462r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-07-020320" disa="2165" severity="medium"> +- <VMSinfo VKey="204463" SVKey="204463r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-07-020330" disa="2165" severity="medium"> +- <VMSinfo VKey="204464" SVKey="204464r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-07-020610" disa="366" severity="medium"> +- <VMSinfo VKey="204466" SVKey="204466r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-07-020620" disa="366" severity="medium"> +- <VMSinfo VKey="204467" SVKey="204467r6038" VRelease="r603826"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-07-020630" disa="366" severity="medium"> +- <VMSinfo VKey="204468" SVKey="204468r6038" VRelease="r603828"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="RHEL-07-020640" disa="366" severity="medium"> +- <VMSinfo VKey="204469" SVKey="204469r6038" VRelease="r603830"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-07-020650" disa="366" severity="medium"> +- <VMSinfo VKey="204470" SVKey="204470r6038" VRelease="r603832"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="RHEL-07-020660" disa="366" severity="medium"> +- <VMSinfo VKey="204471" SVKey="204471r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="RHEL-07-020670" disa="366" severity="medium"> +- <VMSinfo VKey="204472" SVKey="204472r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="RHEL-07-020680" disa="366" severity="medium"> +- <VMSinfo VKey="204473" SVKey="204473r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="RHEL-07-020690" disa="366" severity="medium"> +- <VMSinfo VKey="204474" SVKey="204474r6038" VRelease="r603834"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="RHEL-07-020700" disa="366" severity="medium"> +- <VMSinfo VKey="204475" SVKey="204475r6038" VRelease="r603836"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-07-020710" disa="366" severity="medium"> +- <VMSinfo VKey="204476" SVKey="204476r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-07-020720" disa="366" severity="medium"> +- <VMSinfo VKey="204477" SVKey="204477r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-07-020730" disa="366" severity="medium"> +- <VMSinfo VKey="204478" SVKey="204478r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="318" severity="medium"> +- <VMSinfo VKey="204479" SVKey="204479r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-07-021000" disa="366" severity="medium"> +- <VMSinfo VKey="204480" SVKey="204480r6038" VRelease="r603838"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-07-021010" disa="366" severity="medium"> +- <VMSinfo VKey="204481" SVKey="204481r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-07-021020" disa="366" severity="medium"> +- <VMSinfo VKey="204482" SVKey="204482r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-07-021021" disa="366" severity="medium"> +- <VMSinfo VKey="204483" SVKey="204483r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-07-021024" disa="1764" severity="low"> +- <VMSinfo VKey="204486" SVKey="204486r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="RHEL-07-021030" disa="366" severity="medium"> +- <VMSinfo VKey="204487" SVKey="204487r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021031" disa="366" severity="medium"> +- <VMSinfo VKey="228563" SVKey="228563r6064" VRelease="r606406"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1812" severity="medium"> +- <VMSinfo VKey="204488" SVKey="204488r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-07-021100" disa="366" severity="medium"> +- <VMSinfo VKey="204489" SVKey="204489r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must have cron logging implemented."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="RHEL-07-021110" disa="366" severity="medium"> +- <VMSinfo VKey="204490" SVKey="204490r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="RHEL-07-021120" disa="366" severity="medium"> +- <VMSinfo VKey="204491" SVKey="204491r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-07-021300" disa="366" severity="medium"> +- <VMSinfo VKey="204492" SVKey="204492r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-07-021310" disa="366" severity="low"> +- <VMSinfo VKey="204493" SVKey="204493r6038" VRelease="r603840"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-07-021320" disa="366" severity="low"> +- <VMSinfo VKey="204494" SVKey="204494r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /var."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-07-021330" disa="366" severity="low"> +- <VMSinfo VKey="204495" SVKey="204495r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-07-021340" disa="366" severity="low"> +- <VMSinfo VKey="204496" SVKey="204496r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="RHEL-07-021350" disa="2476" severity="high"> +- <VMSinfo VKey="204497" SVKey="204497r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-07-021600" disa="366" severity="low"> +- <VMSinfo VKey="204498" SVKey="204498r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-07-021610" disa="366" severity="low"> +- <VMSinfo VKey="204499" SVKey="204499r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="RHEL-07-021620" disa="366" severity="medium"> +- <VMSinfo VKey="204500" SVKey="204500r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_no_removeable_media" ownerid="RHEL-07-021700" disa="318" severity="medium"> +- <VMSinfo VKey="204501" SVKey="204501r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-07-021710" disa="381" severity="high"> +- <VMSinfo VKey="204502" SVKey="204502r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="131" severity="medium"> +- <VMSinfo VKey="204503" SVKey="204503r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="RHEL-07-030010" disa="139" severity="medium"> +- <VMSinfo VKey="204504" SVKey="204504r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030201" disa="1851" severity="medium"> +- <VMSinfo VKey="204506" SVKey="204506r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030210" disa="1851" severity="medium"> +- <VMSinfo VKey="204507" SVKey="204507r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030211" disa="1851" severity="medium"> +- <VMSinfo VKey="204508" SVKey="204508r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030300" disa="1851" severity="medium"> +- <VMSinfo VKey="204509" SVKey="204509r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030310" disa="1851" severity="medium"> +- <VMSinfo VKey="204510" SVKey="204510r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="RHEL-07-030320" disa="1851" severity="medium"> +- <VMSinfo VKey="204511" SVKey="204511r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="RHEL-07-030321" disa="1851" severity="medium"> +- <VMSinfo VKey="204512" SVKey="204512r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-07-030330" disa="1855" severity="medium"> +- <VMSinfo VKey="204513" SVKey="204513r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_admin_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium"> +- <VMSinfo VKey="204514" SVKey="204514r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-07-030350" disa="1855" severity="medium"> +- <VMSinfo VKey="204515" SVKey="204515r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="RHEL-07-030360" disa="2234" severity="medium"> +- <VMSinfo VKey="204516" SVKey="204516r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="126" severity="medium"> +- <VMSinfo VKey="204517" SVKey="204517r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-07-030380" disa="172" severity="medium"> +- <VMSinfo VKey="204518" SVKey="204518r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="172" severity="medium"> +- <VMSinfo VKey="204519" SVKey="204519r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-07-030400" disa="172" severity="medium"> +- <VMSinfo VKey="204520" SVKey="204520r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-07-030410" disa="172" severity="medium"> +- <VMSinfo VKey="204521" SVKey="204521r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-07-030420" disa="172" severity="medium"> +- <VMSinfo VKey="204522" SVKey="204522r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-07-030430" disa="172" severity="medium"> +- <VMSinfo VKey="204523" SVKey="204523r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-07-030440" disa="172" severity="medium"> +- <VMSinfo VKey="204524" SVKey="204524r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-07-030450" disa="172" severity="medium"> +- <VMSinfo VKey="204525" SVKey="204525r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-07-030460" disa="172" severity="medium"> +- <VMSinfo VKey="204526" SVKey="204526r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-07-030470" disa="172" severity="medium"> +- <VMSinfo VKey="204527" SVKey="204527r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-07-030480" disa="172" severity="medium"> +- <VMSinfo VKey="204528" SVKey="204528r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-07-030490" disa="172" severity="medium"> +- <VMSinfo VKey="204529" SVKey="204529r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="RHEL-07-030500" disa="2884" severity="medium"> +- <VMSinfo VKey="204530" SVKey="204530r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="RHEL-07-030510" disa="2884" severity="medium"> +- <VMSinfo VKey="204531" SVKey="204531r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="RHEL-07-030520" disa="2884" severity="medium"> +- <VMSinfo VKey="204532" SVKey="204532r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="RHEL-07-030530" disa="2884" severity="medium"> +- <VMSinfo VKey="204533" SVKey="204533r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="RHEL-07-030540" disa="2884" severity="medium"> +- <VMSinfo VKey="204534" SVKey="204534r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="RHEL-07-030550" disa="2884" severity="medium"> +- <VMSinfo VKey="204535" SVKey="204535r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="RHEL-07-030560" disa="2884" severity="medium"> +- <VMSinfo VKey="204536" SVKey="204536r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="RHEL-07-030570" disa="2884" severity="medium"> +- <VMSinfo VKey="204537" SVKey="204537r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="RHEL-07-030580" disa="2884" severity="medium"> +- <VMSinfo VKey="204538" SVKey="204538r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="RHEL-07-030590" disa="2884" severity="medium"> +- <VMSinfo VKey="204539" SVKey="204539r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="RHEL-07-030610" disa="2884" severity="medium"> +- <VMSinfo VKey="204540" SVKey="204540r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-07-030620" disa="2884" severity="medium"> +- <VMSinfo VKey="204541" SVKey="204541r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="RHEL-07-030630" disa="2884" severity="medium"> +- <VMSinfo VKey="204542" SVKey="204542r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="RHEL-07-030640" disa="2884" severity="medium"> +- <VMSinfo VKey="204543" SVKey="204543r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="RHEL-07-030650" disa="2884" severity="medium"> +- <VMSinfo VKey="204544" SVKey="204544r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="RHEL-07-030660" disa="2884" severity="medium"> +- <VMSinfo VKey="204545" SVKey="204545r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chage command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="RHEL-07-030670" disa="2884" severity="medium"> +- <VMSinfo VKey="204546" SVKey="204546r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="RHEL-07-030680" disa="2884" severity="medium"> +- <VMSinfo VKey="204547" SVKey="204547r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the su command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="RHEL-07-030690" disa="2884" severity="medium"> +- <VMSinfo VKey="204548" SVKey="204548r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-07-030700" disa="2884" severity="medium"> +- <VMSinfo VKey="204549" SVKey="204549r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="RHEL-07-030710" disa="2884" severity="medium"> +- <VMSinfo VKey="204550" SVKey="204550r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="RHEL-07-030720" disa="2884" severity="medium"> +- <VMSinfo VKey="204551" SVKey="204551r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="RHEL-07-030740" disa="2884" severity="medium"> +- <VMSinfo VKey="204552" SVKey="204552r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="RHEL-07-030750" disa="2884" severity="medium"> +- <VMSinfo VKey="204553" SVKey="204553r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the umount command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="RHEL-07-030760" disa="2884" severity="medium"> +- <VMSinfo VKey="204554" SVKey="204554r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="RHEL-07-030770" disa="2884" severity="medium"> +- <VMSinfo VKey="204555" SVKey="204555r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="RHEL-07-030780" disa="2884" severity="medium"> +- <VMSinfo VKey="204556" SVKey="204556r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="RHEL-07-030800" disa="2884" severity="medium"> +- <VMSinfo VKey="204557" SVKey="204557r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="RHEL-07-030810" disa="172" severity="medium"> +- <VMSinfo VKey="204558" SVKey="204558r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium"> +- <VMSinfo VKey="204559" SVKey="204559r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="RHEL-07-030820" disa="172" severity="medium"> +- <VMSinfo VKey="204560" SVKey="204560r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030821" disa="172" severity="medium"> +- <VMSinfo VKey="204561" SVKey="204561r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030830" disa="172" severity="medium"> +- <VMSinfo VKey="204562" SVKey="204562r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium"> +- <VMSinfo VKey="204563" SVKey="204563r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="2130" severity="medium"> +- <VMSinfo VKey="204564" SVKey="204564r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-07-030871" disa="2130" severity="medium"> +- <VMSinfo VKey="204565" SVKey="204565r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="2130" severity="medium"> +- <VMSinfo VKey="204566" SVKey="204566r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-07-030873" disa="2130" severity="medium"> +- <VMSinfo VKey="204567" SVKey="204567r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="2130" severity="medium"> +- <VMSinfo VKey="204568" SVKey="204568r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="RHEL-07-030880" disa="2884" severity="medium"> +- <VMSinfo VKey="204569" SVKey="204569r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="RHEL-07-030890" disa="2884" severity="medium"> +- <VMSinfo VKey="204570" SVKey="204570r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="RHEL-07-030900" disa="2884" severity="medium"> +- <VMSinfo VKey="204571" SVKey="204571r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="RHEL-07-030910" disa="2884" severity="medium"> +- <VMSinfo VKey="204572" SVKey="204572r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="RHEL-07-030920" disa="2884" severity="medium"> +- <VMSinfo VKey="204573" SVKey="204573r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-031000" disa="366" severity="medium"> +- <VMSinfo VKey="204574" SVKey="204574r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="368" severity="medium"> +- <VMSinfo VKey="204575" SVKey="204575r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="RHEL-07-032000" disa="1668" severity="high"> +- <VMSinfo VKey="214801" SVKey="214801r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a virus scan program."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-07-040000" disa="54" severity="low"> +- <VMSinfo VKey="204576" SVKey="204576r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-07-040100" disa="2314" severity="medium"> +- <VMSinfo VKey="204577" SVKey="204577r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="RHEL-07-040110" disa="68" severity="medium"> +- <VMSinfo VKey="204578" SVKey="204578r6038" VRelease="r603843"/> +- <title text="The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium"> +- <VMSinfo VKey="204579" SVKey="204579r6468" VRelease="r646844"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="50" severity="medium"> +- <VMSinfo VKey="204580" SVKey="204580r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="RHEL-07-040180" disa="1453" severity="medium"> +- <VMSinfo VKey="204581" SVKey="204581r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="RHEL-07-040190" disa="1453" severity="medium"> +- <VMSinfo VKey="204582" SVKey="204582r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="RHEL-07-040200" disa="1453" severity="medium"> +- <VMSinfo VKey="204583" SVKey="204583r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-07-040201" disa="366" severity="medium"> +- <VMSinfo VKey="204584" SVKey="204584r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement virtual address space randomization."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2421" severity="medium"> +- <VMSinfo VKey="204585" SVKey="204585r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2420" severity="medium"> +- <VMSinfo VKey="204586" SVKey="204586r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-07-040320" disa="2361" severity="medium"> +- <VMSinfo VKey="204587" SVKey="204587r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="RHEL-07-040330" disa="366" severity="medium"> +- <VMSinfo VKey="204588" SVKey="204588r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="RHEL-07-040340" disa="2361" severity="medium"> +- <VMSinfo VKey="204589" SVKey="204589r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-07-040350" disa="366" severity="medium"> +- <VMSinfo VKey="204590" SVKey="204590r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-07-040360" disa="366" severity="medium"> +- <VMSinfo VKey="204591" SVKey="204591r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-040370" disa="366" severity="medium"> +- <VMSinfo VKey="204592" SVKey="204592r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-07-040380" disa="366" severity="medium"> +- <VMSinfo VKey="204593" SVKey="204593r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="197" severity="high"> +- <VMSinfo VKey="204594" SVKey="204594r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="RHEL-07-040400" disa="1453" severity="medium"> +- <VMSinfo VKey="204595" SVKey="204595r6038" VRelease="r603846"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-07-040410" disa="366" severity="medium"> +- <VMSinfo VKey="204596" SVKey="204596r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-07-040420" disa="366" severity="medium"> +- <VMSinfo VKey="204597" SVKey="204597r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1814" severity="medium"> +- <VMSinfo VKey="204598" SVKey="204598r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="318" severity="medium"> +- <VMSinfo VKey="204599" SVKey="204599r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-07-040450" disa="366" severity="medium"> +- <VMSinfo VKey="204600" SVKey="204600r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="RHEL-07-040460" disa="366" severity="medium"> +- <VMSinfo VKey="204601" SVKey="204601r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-07-040470" disa="366" severity="medium"> +- <VMSinfo VKey="204602" SVKey="204602r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="2046" severity="medium"> +- <VMSinfo VKey="204603" SVKey="204603r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-07-040520" disa="366" severity="medium"> +- <VMSinfo VKey="204604" SVKey="204604r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must enable an application firewall, if available."/> +- </overlay> +- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-07-040530" disa="366" severity="low"> +- <VMSinfo VKey="204605" SVKey="204605r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-07-040540" disa="366" severity="high"> +- <VMSinfo VKey="204606" SVKey="204606r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not contain .shosts files."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-07-040550" disa="366" severity="high"> +- <VMSinfo VKey="204607" SVKey="204607r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-07-040600" disa="366" severity="low"> +- <VMSinfo VKey="204608" SVKey="204608r6032" VRelease="r603261"/> +- <title text="For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-07-040610" disa="366" severity="medium"> +- <VMSinfo VKey="204609" SVKey="204609r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-07-040611" disa="366" severity="medium"> +- <VMSinfo VKey="204610" SVKey="204610r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-07-040612" disa="366" severity="medium"> +- <VMSinfo VKey="204611" SVKey="204611r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-07-040620" disa="366" severity="medium"> +- <VMSinfo VKey="204612" SVKey="204612r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-07-040630" disa="366" severity="medium"> +- <VMSinfo VKey="204613" SVKey="204613r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-07-040640" disa="366" severity="medium"> +- <VMSinfo VKey="204614" SVKey="204614r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-07-040641" disa="366" severity="medium"> +- <VMSinfo VKey="204615" SVKey="204615r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-07-040650" disa="366" severity="medium"> +- <VMSinfo VKey="204616" SVKey="204616r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-07-040660" disa="366" severity="medium"> +- <VMSinfo VKey="204617" SVKey="204617r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-07-040670" disa="366" severity="medium"> +- <VMSinfo VKey="204618" SVKey="204618r6032" VRelease="r603261"/> +- <title text="Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."/> +- </overlay> +- <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-07-040680" disa="366" severity="medium"> +- <VMSinfo VKey="204619" SVKey="204619r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-040690" disa="366" severity="high"> +- <VMSinfo VKey="204620" SVKey="204620r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="318" severity="high"> +- <VMSinfo VKey="204621" SVKey="204621r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="medium"> +- <VMSinfo VKey="204622" SVKey="204622r6038" VRelease="r603849"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="RHEL-07-040711" disa="366" severity="medium"> +- <VMSinfo VKey="233307" SVKey="233307r6033" VRelease="r603301"/> +- <title text="The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/> +- </overlay> +- <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-07-040720" disa="366" severity="medium"> +- <VMSinfo VKey="204623" SVKey="204623r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/> +- </overlay> +- <overlay owner="disastig" ruleid="xwindows_remove_packages" ownerid="RHEL-07-040730" disa="366" severity="medium"> +- <VMSinfo VKey="204624" SVKey="204624r6468" VRelease="r646847"/> +- <title text="The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium"> +- <VMSinfo VKey="204625" SVKey="204625r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="RHEL-07-040750" disa="366" severity="medium"> +- <VMSinfo VKey="204626" SVKey="204626r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/> +- </overlay> +- <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-07-040800" disa="366" severity="high"> +- <VMSinfo VKey="204627" SVKey="204627r6032" VRelease="r603261"/> +- <title text="SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="RHEL-07-040810" disa="366" severity="medium"> +- <VMSinfo VKey="204628" SVKey="204628r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/> +- </overlay> +- <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="RHEL-07-040820" disa="366" severity="medium"> +- <VMSinfo VKey="204629" SVKey="204629r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-07-040830" disa="366" severity="medium"> +- <VMSinfo VKey="204630" SVKey="204630r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1948" severity="medium"> +- <VMSinfo VKey="204631" SVKey="204631r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1953" severity="medium"> +- <VMSinfo VKey="204632" SVKey="204632r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1948" severity="medium"> +- <VMSinfo VKey="204633" SVKey="204633r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-07-041010" disa="2418" severity="medium"> +- <VMSinfo VKey="204634" SVKey="204634r6032" VRelease="r603261"/> +- <title text="The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-07-910055" disa="164" severity="medium"> +- <VMSinfo VKey="228564" SVKey="228564r6064" VRelease="r606407"/> +- <title text="The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion."/> +- </overlay> +-</overlays> +diff --git a/products/rhel8/overlays/stig_overlay.xml b/products/rhel8/overlays/stig_overlay.xml +deleted file mode 100644 +index 70b33c84493..00000000000 +--- a/products/rhel8/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,1375 +0,0 @@ +-<?xml version="1.0" encoding="UTF-8"?> +-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> +- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-08-010000" disa="366" severity="high"> +- <VMSinfo VKey="230221" SVKey="230221r6277" VRelease="r627750"/> +- <title text="RHEL 8 must be a vendor-supported release."/> +- </overlay> +- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-08-010010" disa="366" severity="medium"> +- <VMSinfo VKey="230222" SVKey="230222r6277" VRelease="r627750"/> +- <title text="RHEL 8 vendor packaged system security patches and updates must be installed and up to date."/> +- </overlay> +- <overlay owner="disastig" ruleid="enable_fips_mode" ownerid="RHEL-08-010020" disa="68" severity="high"> +- <VMSinfo VKey="230223" SVKey="230223r6277" VRelease="r627750"/> +- <title text="RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/> +- </overlay> +- <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="RHEL-08-010030" disa="1199" severity="medium"> +- <VMSinfo VKey="230224" SVKey="230224r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-08-010040" disa="48" severity="medium"> +- <VMSinfo VKey="230225" SVKey="230225r6277" VRelease="r627750"/> +- <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-08-010050" disa="48" severity="medium"> +- <VMSinfo VKey="230226" SVKey="230226r6277" VRelease="r627750"/> +- <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-08-010060" disa="48" severity="medium"> +- <VMSinfo VKey="230227" SVKey="230227r6277" VRelease="r627750"/> +- <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010070" disa="67" severity="medium"> +- <VMSinfo VKey="230228" SVKey="230228r6277" VRelease="r627750"/> +- <title text="All RHEL 8 remote access methods must be monitored."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010090" disa="185" severity="medium"> +- <VMSinfo VKey="230229" SVKey="230229r6277" VRelease="r627750"/> +- <title text="RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010100" disa="186" severity="medium"> +- <VMSinfo VKey="230230" SVKey="230230r6277" VRelease="r627750"/> +- <title text="RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-08-010110" disa="196" severity="medium"> +- <VMSinfo VKey="230231" SVKey="230231r6277" VRelease="r627750"/> +- <title text="RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010120" disa="196" severity="medium"> +- <VMSinfo VKey="230232" SVKey="230232r6277" VRelease="r627750"/> +- <title text="RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_unix_rounds_password_auth" ownerid="RHEL-08-010130" disa="196" severity="medium"> +- <VMSinfo VKey="230233" SVKey="230233r6277" VRelease="r627750"/> +- <title text="RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-08-010140" disa="213" severity="high"> +- <VMSinfo VKey="230234" SVKey="230234r6277" VRelease="r627750"/> +- <title text="RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-08-010150" disa="213" severity="high"> +- <VMSinfo VKey="230235" SVKey="230235r6277" VRelease="r627750"/> +- <title text="RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-08-010151" disa="213" severity="medium"> +- <VMSinfo VKey="230236" SVKey="230236r6277" VRelease="r627750"/> +- <title text="RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-08-010160" disa="803" severity="medium"> +- <VMSinfo VKey="230237" SVKey="230237r6277" VRelease="r627750"/> +- <title text="The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="kerberos_disable_no_keytab" ownerid="RHEL-08-010161" disa="803" severity="medium"> +- <VMSinfo VKey="230238" SVKey="230238r6468" VRelease="r646862"/> +- <title text="RHEL 8 must prevent system daemons from using Kerberos for authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_krb5-workstation_removed" ownerid="RHEL-08-010162" disa="803" severity="medium"> +- <VMSinfo VKey="230239" SVKey="230239r6468" VRelease="r646864"/> +- <title text="The krb5-workstation package must not be installed on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_rsyslog-gnutls_installed" ownerid="RHEL-08-010163" disa="803" severity="medium"> +- <VMSinfo VKey="237640" SVKey="237640r6468" VRelease="r646890"/> +- <title text="The krb5-server package must not be installed on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-08-010170" disa="1084" severity="medium"> +- <VMSinfo VKey="230240" SVKey="230240r6277" VRelease="r627750"/> +- <title text="RHEL 8 must use a Linux Security Module configured to enforce limits on system services."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_policycoreutils_installed" ownerid="RHEL-08-010171" disa="1084" severity="low"> +- <VMSinfo VKey="230241" SVKey="230241r6277" VRelease="r627750"/> +- <title text="RHEL 8 must have policycoreutils package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_dmesg_restrict" ownerid="RHEL-08-010180" disa="1090" severity="medium"> +- <VMSinfo VKey="230242" SVKey="230242r6277" VRelease="r627750"/> +- <title text="All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_sticky_bits" ownerid="RHEL-08-010190" disa="1090" severity="medium"> +- <VMSinfo VKey="230243" SVKey="230243r6277" VRelease="r627750"/> +- <title text="A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-08-010200" disa="1133" severity="medium"> +- <VMSinfo VKey="230244" SVKey="230244r6277" VRelease="r627750"/> +- <title text="RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_messages" ownerid="RHEL-08-010210" disa="1314" severity="medium"> +- <VMSinfo VKey="230245" SVKey="230245r6277" VRelease="r627750"/> +- <title text="The RHEL 8 /var/log/messages file must have mode 0640 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_owner_var_log_messages" ownerid="RHEL-08-010220" disa="1314" severity="medium"> +- <VMSinfo VKey="230246" SVKey="230246r6277" VRelease="r627750"/> +- <title text="The RHEL 8 /var/log/messages file must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupowner_var_log_messages" ownerid="RHEL-08-010230" disa="1314" severity="medium"> +- <VMSinfo VKey="230247" SVKey="230247r6277" VRelease="r627750"/> +- <title text="The RHEL 8 /var/log/messages file must be group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log" ownerid="RHEL-08-010240" disa="1314" severity="medium"> +- <VMSinfo VKey="230248" SVKey="230248r6277" VRelease="r627750"/> +- <title text="The RHEL 8 /var/log directory must have mode 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_owner_var_log" ownerid="RHEL-08-010250" disa="1314" severity="medium"> +- <VMSinfo VKey="230249" SVKey="230249r6277" VRelease="r627750"/> +- <title text="The RHEL 8 /var/log directory must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupowner_var_log" ownerid="RHEL-08-010260" disa="1314" severity="medium"> +- <VMSinfo VKey="230250" SVKey="230250r6277" VRelease="r627750"/> +- <title text="The RHEL 8 /var/log directory must be group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010290" disa="1453" severity="medium"> +- <VMSinfo VKey="230251" SVKey="230251r6468" VRelease="r646866"/> +- <title text="The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010291" disa="1453" severity="medium"> +- <VMSinfo VKey="230252" SVKey="230252r6468" VRelease="r646869"/> +- <title text="The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_strong_rng" ownerid="RHEL-08-010292" disa="366" severity="low"> +- <VMSinfo VKey="230253" SVKey="230253r6277" VRelease="r627750"/> +- <title text="RHEL 8 must ensure the SSH server uses strong entropy."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_openssl_crypto_policy" ownerid="RHEL-08-010293" disa="1453" severity="medium"> +- <VMSinfo VKey="230254" SVKey="230254r6277" VRelease="r627750"/> +- <title text="The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010294" disa="1453" severity="medium"> +- <VMSinfo VKey="230255" SVKey="230255r6277" VRelease="r627750"/> +- <title text="The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010295" disa="1453" severity="medium"> +- <VMSinfo VKey="230256" SVKey="230256r6277" VRelease="r627750"/> +- <title text="The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_binary_dirs" ownerid="RHEL-08-010300" disa="1499" severity="medium"> +- <VMSinfo VKey="230257" SVKey="230257r6277" VRelease="r627750"/> +- <title text="RHEL 8 system commands must have mode 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_ownership_binary_dirs" ownerid="RHEL-08-010310" disa="1499" severity="medium"> +- <VMSinfo VKey="230258" SVKey="230258r6277" VRelease="r627750"/> +- <title text="RHEL 8 system commands must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010320" disa="1499" severity="medium"> +- <VMSinfo VKey="230259" SVKey="230259r6277" VRelease="r627750"/> +- <title text="RHEL 8 system commands must be group-owned by root or a system account."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-08-010330" disa="1499" severity="medium"> +- <VMSinfo VKey="230260" SVKey="230260r6277" VRelease="r627750"/> +- <title text="RHEL 8 library files must have mode 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-08-010340" disa="1499" severity="medium"> +- <VMSinfo VKey="230261" SVKey="230261r6277" VRelease="r627750"/> +- <title text="RHEL 8 library files must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010350" disa="1499" severity="medium"> +- <VMSinfo VKey="230262" SVKey="230262r6277" VRelease="r627750"/> +- <title text="RHEL 8 library files must be group-owned by root or a system account."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-08-010360" disa="1744" severity="medium"> +- <VMSinfo VKey="230263" SVKey="230263r6277" VRelease="r627750"/> +- <title text="The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-08-010370" disa="1749" severity="high"> +- <VMSinfo VKey="230264" SVKey="230264r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-08-010371" disa="1749" severity="high"> +- <VMSinfo VKey="230265" SVKey="230265r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_kexec_load_disabled" ownerid="RHEL-08-010372" disa="1749" severity="medium"> +- <VMSinfo VKey="230266" SVKey="230266r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent the loading of a new kernel for later execution."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_fs_protected_symlinks" ownerid="RHEL-08-010373" disa="2165" severity="medium"> +- <VMSinfo VKey="230267" SVKey="230267r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_fs_protected_hardlinks" ownerid="RHEL-08-010374" disa="2165" severity="medium"> +- <VMSinfo VKey="230268" SVKey="230268r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_dmesg_restrict" ownerid="RHEL-08-010375" disa="1090" severity="low"> +- <VMSinfo VKey="230269" SVKey="230269r6277" VRelease="r627750"/> +- <title text="RHEL 8 must restrict access to the kernel message buffer."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_perf_event_paranoid" ownerid="RHEL-08-010376" disa="1090" severity="low"> +- <VMSinfo VKey="230270" SVKey="230270r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent kernel profiling by unprivileged users."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-08-010380" disa="2038" severity="medium"> +- <VMSinfo VKey="230271" SVKey="230271r6277" VRelease="r627750"/> +- <title text="RHEL 8 must require users to provide a password for privilege escalation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-08-010381" disa="2038" severity="medium"> +- <VMSinfo VKey="230272" SVKey="230272r6277" VRelease="r627750"/> +- <title text="RHEL 8 must require users to reauthenticate for privilege escalation."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-010382" disa="366" severity="medium"> +- <VMSinfo VKey="237641" SVKey="237641r6468" VRelease="r646893"/> +- <title text="RHEL 8 must restrict privilege elevation to authorized personnel."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="RHEL-08-010383" disa="2227" severity="medium"> +- <VMSinfo VKey="237642" SVKey="237642r6468" VRelease="r646896"/> +- <title text="RHEL 8 must use the invoking user's password for privilege escalation when using "sudo"."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-08-010384" disa="2038" severity="medium"> +- <VMSinfo VKey="237643" SVKey="237643r6468" VRelease="r646899"/> +- <title text="RHEL 8 must require re-authentication when using the "sudo" command."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-08-010390" disa="1948" severity="medium"> +- <VMSinfo VKey="230273" SVKey="230273r6277" VRelease="r627750"/> +- <title text="RHEL 8 must have the packages required for multifactor authentication installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_enable_smartcards" ownerid="RHEL-08-010400" disa="1948" severity="medium"> +- <VMSinfo VKey="230274" SVKey="230274r6277" VRelease="r627750"/> +- <title text="RHEL 8 must implement certificate status checking for multifactor authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_opensc_installed" ownerid="RHEL-08-010410" disa="1953" severity="medium"> +- <VMSinfo VKey="230275" SVKey="230275r6277" VRelease="r627750"/> +- <title text="RHEL 8 must accept Personal Identity Verification (PIV) credentials."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="RHEL-08-010420" disa="2824" severity="medium"> +- <VMSinfo VKey="230276" SVKey="230276r6277" VRelease="r627750"/> +- <title text="RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_page_poison_argument" ownerid="RHEL-08-010421" disa="1084" severity="medium"> +- <VMSinfo VKey="230277" SVKey="230277r6277" VRelease="r627750"/> +- <title text="RHEL 8 must clear the page allocator to prevent use-after-free attacks."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_vsyscall_argument" ownerid="RHEL-08-010422" disa="1084" severity="medium"> +- <VMSinfo VKey="230278" SVKey="230278r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable virtual syscalls."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_slub_debug_argument" ownerid="RHEL-08-010423" disa="1084" severity="medium"> +- <VMSinfo VKey="230279" SVKey="230279r6277" VRelease="r627750"/> +- <title text="RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-08-010430" disa="2824" severity="medium"> +- <VMSinfo VKey="230280" SVKey="230280r6277" VRelease="r627750"/> +- <title text="RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution."/> +- </overlay> +- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-08-010440" disa="2617" severity="low"> +- <VMSinfo VKey="230281" SVKey="230281r6277" VRelease="r627750"/> +- <title text="YUM must remove all software components after updated versions have been installed on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-08-010450" disa="2696" severity="medium"> +- <VMSinfo VKey="230282" SVKey="230282r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable the SELinux targeted policy."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-08-010460" disa="366" severity="high"> +- <VMSinfo VKey="230283" SVKey="230283r6277" VRelease="r627750"/> +- <title text="There must be no shosts.equiv files on the RHEL 8 operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-08-010470" disa="366" severity="high"> +- <VMSinfo VKey="230284" SVKey="230284r6277" VRelease="r627750"/> +- <title text="There must be no .shosts files on the RHEL 8 operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_rngd_enabled" ownerid="RHEL-08-010471" disa="366" severity="low"> +- <VMSinfo VKey="230285" SVKey="230285r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable the hardware random number generator entropy gatherer service."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-08-010480" disa="366" severity="medium"> +- <VMSinfo VKey="230286" SVKey="230286r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH public host key files must have mode 0644 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-08-010490" disa="366" severity="medium"> +- <VMSinfo VKey="230287" SVKey="230287r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH private host key files must have mode 0640 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-08-010500" disa="366" severity="medium"> +- <VMSinfo VKey="230288" SVKey="230288r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-08-010510" disa="366" severity="medium"> +- <VMSinfo VKey="230289" SVKey="230289r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-08-010520" disa="366" severity="medium"> +- <VMSinfo VKey="230290" SVKey="230290r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH daemon must not allow authentication using known host’s authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-08-010521" disa="366" severity="medium"> +- <VMSinfo VKey="230291" SVKey="230291r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH daemon must not allow unused methods of authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-08-010540" disa="366" severity="low"> +- <VMSinfo VKey="230292" SVKey="230292r6277" VRelease="r627750"/> +- <title text="RHEL 8 must use a separate file system for /var."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log" ownerid="RHEL-08-010541" disa="366" severity="low"> +- <VMSinfo VKey="230293" SVKey="230293r6277" VRelease="r627750"/> +- <title text="RHEL 8 must use a separate file system for /var/log."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-08-010542" disa="366" severity="low"> +- <VMSinfo VKey="230294" SVKey="230294r6277" VRelease="r627750"/> +- <title text="RHEL 8 must use a separate file system for the system audit data path."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-08-010543" disa="366" severity="medium"> +- <VMSinfo VKey="230295" SVKey="230295r6277" VRelease="r627750"/> +- <title text="A separate RHEL 8 filesystem must be used for the /tmp directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-08-010550" disa="770" severity="medium"> +- <VMSinfo VKey="230296" SVKey="230296r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not permit direct logons to the root account using remote access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-08-010560" disa="366" severity="medium"> +- <VMSinfo VKey="230297" SVKey="230297r6277" VRelease="r627750"/> +- <title text="The auditd service must be running in RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_rsyslog_enabled" ownerid="RHEL-08-010561" disa="366" severity="medium"> +- <VMSinfo VKey="230298" SVKey="230298r6277" VRelease="r627750"/> +- <title text="The rsyslog service must be running in RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-08-010570" disa="366" severity="medium"> +- <VMSinfo VKey="230299" SVKey="230299r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_boot_nosuid" ownerid="RHEL-08-010571" disa="366" severity="medium"> +- <VMSinfo VKey="230300" SVKey="230300r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nodev_nonroot_local_partitions" ownerid="RHEL-08-010580" disa="366" severity="medium"> +- <VMSinfo VKey="230301" SVKey="230301r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent special devices on non-root local partitions."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-010590" disa="366" severity="medium"> +- <VMSinfo VKey="230302" SVKey="230302r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent code from being executed on file systems that contain user home directories."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nodev_removable_partitions" ownerid="RHEL-08-010600" disa="366" severity="medium"> +- <VMSinfo VKey="230303" SVKey="230303r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent special devices on file systems that are used with removable media."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_noexec_removable_partitions" ownerid="RHEL-08-010610" disa="366" severity="medium"> +- <VMSinfo VKey="230304" SVKey="230304r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent code from being executed on file systems that are used with removable media."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-08-010620" disa="366" severity="medium"> +- <VMSinfo VKey="230305" SVKey="230305r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-08-010630" disa="366" severity="medium"> +- <VMSinfo VKey="230306" SVKey="230306r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nodev_remote_filesystems" ownerid="RHEL-08-010640" disa="366" severity="medium"> +- <VMSinfo VKey="230307" SVKey="230307r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-08-010650" disa="366" severity="medium"> +- <VMSinfo VKey="230308" SVKey="230308r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-08-010660" disa="366" severity="medium"> +- <VMSinfo VKey="230309" SVKey="230309r6277" VRelease="r627750"/> +- <title text="Local RHEL 8 initialization files must not execute world-writable programs."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-08-010670" disa="366" severity="medium"> +- <VMSinfo VKey="230310" SVKey="230310r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable kernel dumps unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_core_pattern" ownerid="RHEL-08-010671" disa="366" severity="medium"> +- <VMSinfo VKey="230311" SVKey="230311r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the kernel.core_pattern."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_systemd-coredump_disabled" ownerid="RHEL-08-010672" disa="366" severity="medium"> +- <VMSinfo VKey="230312" SVKey="230312r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable acquiring, saving, and processing core dumps."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_users_coredumps" ownerid="RHEL-08-010673" disa="366" severity="medium"> +- <VMSinfo VKey="230313" SVKey="230313r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable core dumps for all users."/> +- </overlay> +- <overlay owner="disastig" ruleid="coredump_disable_storage" ownerid="RHEL-08-010674" disa="366" severity="medium"> +- <VMSinfo VKey="230314" SVKey="230314r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable storing core dumps."/> +- </overlay> +- <overlay owner="disastig" ruleid="coredump_disable_backtraces" ownerid="RHEL-08-010675" disa="366" severity="medium"> +- <VMSinfo VKey="230315" SVKey="230315r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable core dump backtraces."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-08-010680" disa="366" severity="medium"> +- <VMSinfo VKey="230316" SVKey="230316r6277" VRelease="r627750"/> +- <title text="For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-08-010690" disa="366" severity="medium"> +- <VMSinfo VKey="230317" SVKey="230317r6277" VRelease="r627750"/> +- <title text="Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_root_owned" ownerid="RHEL-08-010700" disa="366" severity="medium"> +- <VMSinfo VKey="230318" SVKey="230318r6277" VRelease="r627750"/> +- <title text="All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-010710" disa="366" severity="medium"> +- <VMSinfo VKey="230319" SVKey="230319r6277" VRelease="r627750"/> +- <title text="All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_defined" ownerid="RHEL-08-010720" disa="366" severity="medium"> +- <VMSinfo VKey="230320" SVKey="230320r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-08-010730" disa="366" severity="medium"> +- <VMSinfo VKey="230321" SVKey="230321r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local interactive user home directories must have mode 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-08-010740" disa="366" severity="medium"> +- <VMSinfo VKey="230322" SVKey="230322r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-08-010750" disa="366" severity="medium"> +- <VMSinfo VKey="230323" SVKey="230323r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-08-010760" disa="366" severity="medium"> +- <VMSinfo VKey="230324" SVKey="230324r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-08-010770" disa="366" severity="medium"> +- <VMSinfo VKey="230325" SVKey="230325r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local initialization files must have mode 0740 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-08-010780" disa="366" severity="medium"> +- <VMSinfo VKey="230326" SVKey="230326r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local files and directories must have a valid owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-08-010790" disa="366" severity="medium"> +- <VMSinfo VKey="230327" SVKey="230327r6277" VRelease="r627750"/> +- <title text="All RHEL 8 local files and directories must have a valid group owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-08-010800" disa="366" severity="medium"> +- <VMSinfo VKey="230328" SVKey="230328r6277" VRelease="r627750"/> +- <title text="A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-08-010820" disa="366" severity="high"> +- <VMSinfo VKey="230329" SVKey="230329r6277" VRelease="r627750"/> +- <title text="Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-08-010830" disa="366" severity="medium"> +- <VMSinfo VKey="230330" SVKey="230330r6468" VRelease="r646870"/> +- <title text="RHEL 8 must not allow users to override SSH environment variables."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="RHEL-08-020000" disa="16" severity="medium"> +- <VMSinfo VKey="230331" SVKey="230331r6277" VRelease="r627750"/> +- <title text="RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020010" disa="44" severity="medium"> +- <VMSinfo VKey="230332" SVKey="230332r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020011" disa="44" severity="medium"> +- <VMSinfo VKey="230333" SVKey="230333r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-08-020012" disa="44" severity="medium"> +- <VMSinfo VKey="230334" SVKey="230334r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020013" disa="44" severity="medium"> +- <VMSinfo VKey="230335" SVKey="230335r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-08-020014" disa="44" severity="medium"> +- <VMSinfo VKey="230336" SVKey="230336r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020015" disa="44" severity="medium"> +- <VMSinfo VKey="230337" SVKey="230337r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020016" disa="44" severity="medium"> +- <VMSinfo VKey="230338" SVKey="230338r6277" VRelease="r627750"/> +- <title text="RHEL 8 must ensure account lockouts persist."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020017" disa="44" severity="medium"> +- <VMSinfo VKey="230339" SVKey="230339r6277" VRelease="r627750"/> +- <title text="RHEL 8 must ensure account lockouts persist."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020018" disa="44" severity="medium"> +- <VMSinfo VKey="230340" SVKey="230340r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020019" disa="44" severity="medium"> +- <VMSinfo VKey="230341" SVKey="230341r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020020" disa="44" severity="medium"> +- <VMSinfo VKey="230342" SVKey="230342r6468" VRelease="r646872"/> +- <title text="RHEL 8 must log user name information when unsuccessful logon attempts occur."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020021" disa="44" severity="medium"> +- <VMSinfo VKey="230343" SVKey="230343r6277" VRelease="r627750"/> +- <title text="RHEL 8 must log user name information when unsuccessful logon attempts occur."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-08-020022" disa="44" severity="medium"> +- <VMSinfo VKey="230344" SVKey="230344r6468" VRelease="r646874"/> +- <title text="RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020023" disa="44" severity="medium"> +- <VMSinfo VKey="230345" SVKey="230345r6277" VRelease="r627750"/> +- <title text="RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-08-020024" disa="54" severity="low"> +- <VMSinfo VKey="230346" SVKey="230346r6277" VRelease="r627750"/> +- <title text="RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-08-020030" disa="56" severity="medium"> +- <VMSinfo VKey="230347" SVKey="230347r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_tmux_lock_command" ownerid="RHEL-08-020040" disa="56" severity="medium"> +- <VMSinfo VKey="230348" SVKey="230348r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_bashrc_exec_tmux" ownerid="RHEL-08-020041" disa="56" severity="medium"> +- <VMSinfo VKey="230349" SVKey="230349r6277" VRelease="r627750"/> +- <title text="RHEL 8 must ensure session control is automatically started at shell initialization."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_tmux_in_shells" ownerid="RHEL-08-020042" disa="56" severity="low"> +- <VMSinfo VKey="230350" SVKey="230350r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent users from disabling session control mechanisms."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_lock_screen_on_smartcard_removal" ownerid="RHEL-08-020050" disa="56" severity="medium"> +- <VMSinfo VKey="230351" SVKey="230351r6277" VRelease="r627750"/> +- <title text="RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-08-020060" disa="57" severity="medium"> +- <VMSinfo VKey="230352" SVKey="230352r6468" VRelease="r646876"/> +- <title text="RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_tmux_lock_after_time" ownerid="RHEL-08-020070" disa="57" severity="medium"> +- <VMSinfo VKey="230353" SVKey="230353r6277" VRelease="r627750"/> +- <title text="RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020080" disa="57" severity="medium"> +- <VMSinfo VKey="230354" SVKey="230354r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent a user from overriding graphical user interface settings."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020090" disa="187" severity="medium"> +- <VMSinfo VKey="230355" SVKey="230355r6277" VRelease="r627750"/> +- <title text="RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-08-020100" disa="192" severity="medium"> +- <VMSinfo VKey="230356" SVKey="230356r6277" VRelease="r627750"/> +- <title text="RHEL 8 must ensure a password complexity module is enabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-08-020110" disa="192" severity="medium"> +- <VMSinfo VKey="230357" SVKey="230357r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-08-020120" disa="193" severity="medium"> +- <VMSinfo VKey="230358" SVKey="230358r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-08-020130" disa="194" severity="medium"> +- <VMSinfo VKey="230359" SVKey="230359r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enforce password complexity by requiring that at least one numeric character be used."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-08-020140" disa="195" severity="medium"> +- <VMSinfo VKey="230360" SVKey="230360r6277" VRelease="r627750"/> +- <title text="RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-08-020150" disa="195" severity="medium"> +- <VMSinfo VKey="230361" SVKey="230361r6277" VRelease="r627750"/> +- <title text="RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-08-020160" disa="195" severity="medium"> +- <VMSinfo VKey="230362" SVKey="230362r6277" VRelease="r627750"/> +- <title text="RHEL 8 must require the change of at least four character classes when passwords are changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-08-020170" disa="195" severity="medium"> +- <VMSinfo VKey="230363" SVKey="230363r6277" VRelease="r627750"/> +- <title text="RHEL 8 must require the change of at least 8 characters when passwords are changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-08-020180" disa="198" severity="medium"> +- <VMSinfo VKey="230364" SVKey="230364r6277" VRelease="r627750"/> +- <title text="RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-08-020190" disa="198" severity="medium"> +- <VMSinfo VKey="230365" SVKey="230365r6277" VRelease="r627750"/> +- <title text="RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-08-020200" disa="199" severity="medium"> +- <VMSinfo VKey="230366" SVKey="230366r6468" VRelease="r646878"/> +- <title text="RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-08-020210" disa="199" severity="medium"> +- <VMSinfo VKey="230367" SVKey="230367r6277" VRelease="r627750"/> +- <title text="RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-08-020220" disa="200" severity="medium"> +- <VMSinfo VKey="230368" SVKey="230368r6277" VRelease="r627750"/> +- <title text="RHEL 8 passwords must be prohibited from reuse for a minimum of five generations."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-08-020230" disa="205" severity="medium"> +- <VMSinfo VKey="230369" SVKey="230369r6277" VRelease="r627750"/> +- <title text="RHEL 8 passwords must have a minimum of 15 characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_minlen_login_defs" ownerid="RHEL-08-020231" disa="205" severity="medium"> +- <VMSinfo VKey="230370" SVKey="230370r6277" VRelease="r627750"/> +- <title text="RHEL 8 passwords for new users must have a minimum of 15 characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020240" disa="764" severity="medium"> +- <VMSinfo VKey="230371" SVKey="230371r6277" VRelease="r627750"/> +- <title text="RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_enable_smartcards" ownerid="RHEL-08-020250" disa="765" severity="medium"> +- <VMSinfo VKey="230372" SVKey="230372r6277" VRelease="r627750"/> +- <title text="RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-08-020260" disa="795" severity="medium"> +- <VMSinfo VKey="230373" SVKey="230373r6277" VRelease="r627750"/> +- <title text="RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="RHEL-08-020270" disa="1682" severity="medium"> +- <VMSinfo VKey="230374" SVKey="230374r6277" VRelease="r627750"/> +- <title text="RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-08-020280" disa="1619" severity="medium"> +- <VMSinfo VKey="230375" SVKey="230375r6277" VRelease="r627750"/> +- <title text="All RHEL 8 passwords must contain at least one special character."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_offline_cred_expiration" ownerid="RHEL-08-020290" disa="2007" severity="medium"> +- <VMSinfo VKey="230376" SVKey="230376r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prohibit the use of cached authentications after one day."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-08-020300" disa="366" severity="medium"> +- <VMSinfo VKey="230377" SVKey="230377r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent the use of dictionary words for passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-08-020310" disa="366" severity="medium"> +- <VMSinfo VKey="230378" SVKey="230378r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-020320" disa="366" severity="medium"> +- <VMSinfo VKey="230379" SVKey="230379r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not have unnecessary accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-08-020330" disa="366" severity="high"> +- <VMSinfo VKey="230380" SVKey="230380r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not have accounts configured with blank or null passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-08-020340" disa="366" severity="low"> +- <VMSinfo VKey="230381" SVKey="230381r6277" VRelease="r627750"/> +- <title text="RHEL 8 must display the date and time of the last successful account logon upon logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-08-020350" disa="366" severity="medium"> +- <VMSinfo VKey="230382" SVKey="230382r6277" VRelease="r627750"/> +- <title text="RHEL 8 must display the date and time of the last successful account logon upon an SSH logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-08-020351" disa="366" severity="medium"> +- <VMSinfo VKey="230383" SVKey="230383r6277" VRelease="r627750"/> +- <title text="RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-08-020352" disa="366" severity="medium"> +- <VMSinfo VKey="230384" SVKey="230384r6277" VRelease="r627750"/> +- <title text="RHEL 8 must set the umask value to 077 for all local interactive user accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_etc_bashrc" ownerid="RHEL-08-020353" disa="366" severity="medium"> +- <VMSinfo VKey="230385" SVKey="230385r6277" VRelease="r627750"/> +- <title text="RHEL 8 must define default permissions for logon and non-logon shells."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030000" disa="2233" severity="medium"> +- <VMSinfo VKey="230386" SVKey="230386r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-08-030010" disa="366" severity="medium"> +- <VMSinfo VKey="230387" SVKey="230387r6277" VRelease="r627750"/> +- <title text="Cron logging must be implemented in RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-08-030020" disa="139" severity="medium"> +- <VMSinfo VKey="230388" SVKey="230388r6277" VRelease="r627750"/> +- <title text="The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event."/> +- </overlay> +- <overlay owner="disastig" ruleid="postfix_client_configure_mail_alias" ownerid="RHEL-08-030030" disa="139" severity="medium"> +- <VMSinfo VKey="230389" SVKey="230389r6277" VRelease="r627750"/> +- <title text="The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_disk_error_action" ownerid="RHEL-08-030040" disa="140" severity="medium"> +- <VMSinfo VKey="230390" SVKey="230390r6277" VRelease="r627750"/> +- <title text="The RHEL 8 System must take appropriate action when an audit processing failure occurs."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_max_log_file_action" ownerid="RHEL-08-030050" disa="140" severity="medium"> +- <VMSinfo VKey="230391" SVKey="230391r6277" VRelease="r627750"/> +- <title text="The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_disk_full_action" ownerid="RHEL-08-030060" disa="140" severity="medium"> +- <VMSinfo VKey="230392" SVKey="230392r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must take appropriate action when the audit storage volume is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030061" disa="366" severity="medium"> +- <VMSinfo VKey="230393" SVKey="230393r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must audit local events."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_name_format" ownerid="RHEL-08-030062" disa="1851" severity="medium"> +- <VMSinfo VKey="230394" SVKey="230394r6277" VRelease="r627750"/> +- <title text="RHEL 8 must label all off-loaded audit logs before sending them to the central log server."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_log_format" ownerid="RHEL-08-030063" disa="366" severity="low"> +- <VMSinfo VKey="230395" SVKey="230395r6277" VRelease="r627750"/> +- <title text="RHEL 8 must resolve audit information before writing to disk."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030070" disa="162" severity="medium"> +- <VMSinfo VKey="230396" SVKey="230396r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="RHEL-08-030080" disa="162" severity="medium"> +- <VMSinfo VKey="230397" SVKey="230397r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit logs must be owned by root to prevent unauthorized read access."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030090" disa="162" severity="medium"> +- <VMSinfo VKey="230398" SVKey="230398r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030100" disa="162" severity="medium"> +- <VMSinfo VKey="230399" SVKey="230399r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit log directory must be owned by root to prevent unauthorized read access."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030110" disa="162" severity="medium"> +- <VMSinfo VKey="230400" SVKey="230400r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access."/> +- </overlay> +- <overlay owner="disastig" ruleid="directory_permissions_var_log_audit" ownerid="RHEL-08-030120" disa="162" severity="medium"> +- <VMSinfo VKey="230401" SVKey="230401r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_immutable" ownerid="RHEL-08-030121" disa="162" severity="medium"> +- <VMSinfo VKey="230402" SVKey="230402r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit system must protect auditing rules from unauthorized change."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_immutable_login_uids" ownerid="RHEL-08-030122" disa="162" severity="medium"> +- <VMSinfo VKey="230403" SVKey="230403r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit system must protect logon UIDs from unauthorized change."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-08-030130" disa="169" severity="medium"> +- <VMSinfo VKey="230404" SVKey="230404r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-08-030140" disa="169" severity="medium"> +- <VMSinfo VKey="230405" SVKey="230405r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-08-030150" disa="169" severity="medium"> +- <VMSinfo VKey="230406" SVKey="230406r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-08-030160" disa="169" severity="medium"> +- <VMSinfo VKey="230407" SVKey="230407r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-08-030170" disa="169" severity="medium"> +- <VMSinfo VKey="230408" SVKey="230408r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030171" disa="169" severity="medium"> +- <VMSinfo VKey="230409" SVKey="230409r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-08-030172" disa="169" severity="medium"> +- <VMSinfo VKey="230410" SVKey="230410r6277" VRelease="r627750"/> +- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_audit_installed" ownerid="RHEL-08-030180" disa="169" severity="medium"> +- <VMSinfo VKey="230411" SVKey="230411r6468" VRelease="r646881"/> +- <title text="RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030190" disa="169" severity="medium"> +- <VMSinfo VKey="230412" SVKey="230412r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030200" disa="169" severity="medium"> +- <VMSinfo VKey="230413" SVKey="230413r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030210" disa="169" severity="medium"> +- <VMSinfo VKey="230414" SVKey="230414r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit any usage of the removexattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030220" disa="169" severity="medium"> +- <VMSinfo VKey="230415" SVKey="230415r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030230" disa="169" severity="medium"> +- <VMSinfo VKey="230416" SVKey="230416r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030240" disa="169" severity="medium"> +- <VMSinfo VKey="230417" SVKey="230417r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030250" disa="169" severity="medium"> +- <VMSinfo VKey="230418" SVKey="230418r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030260" disa="169" severity="medium"> +- <VMSinfo VKey="230419" SVKey="230419r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030270" disa="169" severity="medium"> +- <VMSinfo VKey="230420" SVKey="230420r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit system must be configured to audit any usage of the setxattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030280" disa="169" severity="medium"> +- <VMSinfo VKey="230421" SVKey="230421r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030290" disa="169" severity="medium"> +- <VMSinfo VKey="230422" SVKey="230422r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030300" disa="169" severity="medium"> +- <VMSinfo VKey="230423" SVKey="230423r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030301" disa="169" severity="medium"> +- <VMSinfo VKey="230424" SVKey="230424r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030302" disa="169" severity="medium"> +- <VMSinfo VKey="230425" SVKey="230425r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030310" disa="169" severity="medium"> +- <VMSinfo VKey="230426" SVKey="230426r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030311" disa="169" severity="medium"> +- <VMSinfo VKey="230427" SVKey="230427r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030312" disa="169" severity="medium"> +- <VMSinfo VKey="230428" SVKey="230428r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030313" disa="169" severity="medium"> +- <VMSinfo VKey="230429" SVKey="230429r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030314" disa="169" severity="medium"> +- <VMSinfo VKey="230430" SVKey="230430r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030315" disa="169" severity="medium"> +- <VMSinfo VKey="230431" SVKey="230431r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030316" disa="169" severity="medium"> +- <VMSinfo VKey="230432" SVKey="230432r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030317" disa="169" severity="medium"> +- <VMSinfo VKey="230433" SVKey="230433r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030320" disa="169" severity="medium"> +- <VMSinfo VKey="230434" SVKey="230434r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030330" disa="169" severity="medium"> +- <VMSinfo VKey="230435" SVKey="230435r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030340" disa="169" severity="medium"> +- <VMSinfo VKey="230436" SVKey="230436r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030350" disa="169" severity="medium"> +- <VMSinfo VKey="230437" SVKey="230437r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030360" disa="169" severity="medium"> +- <VMSinfo VKey="230438" SVKey="230438r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030361" disa="169" severity="medium"> +- <VMSinfo VKey="230439" SVKey="230439r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030362" disa="169" severity="medium"> +- <VMSinfo VKey="230440" SVKey="230440r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030363" disa="169" severity="medium"> +- <VMSinfo VKey="230441" SVKey="230441r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030364" disa="169" severity="medium"> +- <VMSinfo VKey="230442" SVKey="230442r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030365" disa="169" severity="medium"> +- <VMSinfo VKey="230443" SVKey="230443r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030370" disa="169" severity="medium"> +- <VMSinfo VKey="230444" SVKey="230444r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030380" disa="169" severity="medium"> +- <VMSinfo VKey="230445" SVKey="230445r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030390" disa="169" severity="medium"> +- <VMSinfo VKey="230446" SVKey="230446r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030400" disa="169" severity="medium"> +- <VMSinfo VKey="230447" SVKey="230447r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030410" disa="169" severity="medium"> +- <VMSinfo VKey="230448" SVKey="230448r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030420" disa="169" severity="medium"> +- <VMSinfo VKey="230449" SVKey="230449r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030430" disa="169" severity="medium"> +- <VMSinfo VKey="230450" SVKey="230450r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030440" disa="169" severity="medium"> +- <VMSinfo VKey="230451" SVKey="230451r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030450" disa="169" severity="medium"> +- <VMSinfo VKey="230452" SVKey="230452r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030460" disa="169" severity="medium"> +- <VMSinfo VKey="230453" SVKey="230453r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030470" disa="169" severity="medium"> +- <VMSinfo VKey="230454" SVKey="230454r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030480" disa="169" severity="medium"> +- <VMSinfo VKey="230455" SVKey="230455r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030490" disa="169" severity="medium"> +- <VMSinfo VKey="230456" SVKey="230456r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030500" disa="169" severity="medium"> +- <VMSinfo VKey="230457" SVKey="230457r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030510" disa="169" severity="medium"> +- <VMSinfo VKey="230458" SVKey="230458r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030520" disa="169" severity="medium"> +- <VMSinfo VKey="230459" SVKey="230459r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030530" disa="169" severity="medium"> +- <VMSinfo VKey="230460" SVKey="230460r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030540" disa="169" severity="medium"> +- <VMSinfo VKey="230461" SVKey="230461r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030550" disa="169" severity="medium"> +- <VMSinfo VKey="230462" SVKey="230462r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030560" disa="169" severity="medium"> +- <VMSinfo VKey="230463" SVKey="230463r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030570" disa="169" severity="medium"> +- <VMSinfo VKey="230464" SVKey="230464r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030580" disa="169" severity="medium"> +- <VMSinfo VKey="230465" SVKey="230465r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030590" disa="169" severity="medium"> +- <VMSinfo VKey="230466" SVKey="230466r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-08-030600" disa="169" severity="medium"> +- <VMSinfo VKey="230467" SVKey="230467r6277" VRelease="r627750"/> +- <title text="Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_audit_argument" ownerid="RHEL-08-030601" disa="169" severity="low"> +- <VMSinfo VKey="230468" SVKey="230468r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable auditing of processes that start prior to the audit daemon."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_audit_backlog_limit_argument" ownerid="RHEL-08-030602" disa="1849" severity="low"> +- <VMSinfo VKey="230469" SVKey="230469r6277" VRelease="r627750"/> +- <title text="RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_usbguard_auditbackend" ownerid="RHEL-08-030603" disa="169" severity="low"> +- <VMSinfo VKey="230470" SVKey="230470r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable Linux audit logging for the USBGuard daemon."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030610" disa="171" severity="medium"> +- <VMSinfo VKey="230471" SVKey="230471r6277" VRelease="r627750"/> +- <title text="RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030620" disa="1493" severity="medium"> +- <VMSinfo VKey="230472" SVKey="230472r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit tools must have a mode of 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030630" disa="1493" severity="medium"> +- <VMSinfo VKey="230473" SVKey="230473r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit tools must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030640" disa="1493" severity="medium"> +- <VMSinfo VKey="230474" SVKey="230474r6277" VRelease="r627750"/> +- <title text="RHEL 8 audit tools must be group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030650" disa="1496" severity="medium"> +- <VMSinfo VKey="230475" SVKey="230475r6277" VRelease="r627750"/> +- <title text="RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_audit_backlog_limit_argument" ownerid="RHEL-08-030660" disa="1849" severity="medium"> +- <VMSinfo VKey="230476" SVKey="230476r6277" VRelease="r627750"/> +- <title text="RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_rsyslog_installed" ownerid="RHEL-08-030670" disa="366" severity="medium"> +- <VMSinfo VKey="230477" SVKey="230477r6277" VRelease="r627750"/> +- <title text="RHEL 8 must have the packages required for offloading audit logs installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_rsyslog-gnutls_installed" ownerid="RHEL-08-030680" disa="366" severity="medium"> +- <VMSinfo VKey="230478" SVKey="230478r6277" VRelease="r627750"/> +- <title text="RHEL 8 must have the packages required for encrypting offloaded audit logs installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030690" disa="1851" severity="medium"> +- <VMSinfo VKey="230479" SVKey="230479r6277" VRelease="r627750"/> +- <title text="The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030700" disa="1851" severity="medium"> +- <VMSinfo VKey="230480" SVKey="230480r6277" VRelease="r627750"/> +- <title text="RHEL 8 must take appropriate action when the internal event queue is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030710" disa="1851" severity="medium"> +- <VMSinfo VKey="230481" SVKey="230481r6277" VRelease="r627750"/> +- <title text="RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030720" disa="1851" severity="medium"> +- <VMSinfo VKey="230482" SVKey="230482r6277" VRelease="r627750"/> +- <title text="RHEL 8 must authenticate the remote logging server for off-loading audit logs."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-08-030730" disa="1855" severity="medium"> +- <VMSinfo VKey="230483" SVKey="230483r6277" VRelease="r627750"/> +- <title text="RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-08-030740" disa="1891" severity="medium"> +- <VMSinfo VKey="230484" SVKey="230484r6277" VRelease="r627750"/> +- <title text="RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_client_only" ownerid="RHEL-08-030741" disa="381" severity="low"> +- <VMSinfo VKey="230485" SVKey="230485r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the chrony daemon from acting as a server."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_no_chronyc_network" ownerid="RHEL-08-030742" disa="381" severity="low"> +- <VMSinfo VKey="230486" SVKey="230486r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable network management of the chrony daemon."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-08-040000" disa="381" severity="high"> +- <VMSinfo VKey="230487" SVKey="230487r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not have the telnet-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_abrt_removed" ownerid="RHEL-08-040001" disa="381" severity="medium"> +- <VMSinfo VKey="230488" SVKey="230488r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not have any automated bug reporting tools installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-040002" disa="381" severity="medium"> +- <VMSinfo VKey="230489" SVKey="230489r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not have the sendmail package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_pti_argument" ownerid="RHEL-08-040004" disa="381" severity="low"> +- <VMSinfo VKey="230491" SVKey="230491r6277" VRelease="r627750"/> +- <title text="RHEL 8 must enable mitigations against processor-based vulnerabilities."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-08-040010" disa="381" severity="high"> +- <VMSinfo VKey="230492" SVKey="230492r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not have the rsh-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-040020" disa="381" severity="medium"> +- <VMSinfo VKey="230493" SVKey="230493r6277" VRelease="r627750"/> +- <title text="RHEL 8 must cover or disable the built-in or attached camera when not in use."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_atm_disabled" ownerid="RHEL-08-040021" disa="381" severity="low"> +- <VMSinfo VKey="230494" SVKey="230494r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the asynchronous transfer mode (ATM) protocol."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_can_disabled" ownerid="RHEL-08-040022" disa="381" severity="low"> +- <VMSinfo VKey="230495" SVKey="230495r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the controller area network (CAN) protocol."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_sctp_disabled" ownerid="RHEL-08-040023" disa="381" severity="low"> +- <VMSinfo VKey="230496" SVKey="230496r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the stream control transmission (SCTP) protocol."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_tipc_disabled" ownerid="RHEL-08-040024" disa="381" severity="low"> +- <VMSinfo VKey="230497" SVKey="230497r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the transparent inter-process communication (TIPC) protocol."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_cramfs_disabled" ownerid="RHEL-08-040025" disa="381" severity="low"> +- <VMSinfo VKey="230498" SVKey="230498r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable mounting of cramfs."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_firewire-core_disabled" ownerid="RHEL-08-040026" disa="381" severity="low"> +- <VMSinfo VKey="230499" SVKey="230499r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable IEEE 1394 (FireWire) Support."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-08-040030" disa="382" severity="medium"> +- <VMSinfo VKey="230500" SVKey="230500r6277" VRelease="r627750"/> +- <title text="RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-08-040070" disa="778" severity="medium"> +- <VMSinfo VKey="230502" SVKey="230502r6277" VRelease="r627750"/> +- <title text="The RHEL 8 file system automounter must be disabled unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-08-040080" disa="778" severity="medium"> +- <VMSinfo VKey="230503" SVKey="230503r6277" VRelease="r627750"/> +- <title text="RHEL 8 must be configured to disable USB mass storage."/> +- </overlay> +- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-08-040090" disa="2314" severity="medium"> +- <VMSinfo VKey="230504" SVKey="230504r6277" VRelease="r627750"/> +- <title text="A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-08-040100" disa="2314" severity="medium"> +- <VMSinfo VKey="230505" SVKey="230505r6277" VRelease="r627750"/> +- <title text="A firewall must be installed on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-08-040110" disa="1444" severity="medium"> +- <VMSinfo VKey="230506" SVKey="230506r6277" VRelease="r627750"/> +- <title text="RHEL 8 wireless network adapters must be disabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_bluetooth_disabled" ownerid="RHEL-08-040111" disa="1443" severity="medium"> +- <VMSinfo VKey="230507" SVKey="230507r6277" VRelease="r627750"/> +- <title text="RHEL 8 Bluetooth must be disabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_dev_shm_nodev" ownerid="RHEL-08-040120" disa="1764" severity="medium"> +- <VMSinfo VKey="230508" SVKey="230508r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /dev/shm with the nodev option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_dev_shm_nosuid" ownerid="RHEL-08-040121" disa="1764" severity="medium"> +- <VMSinfo VKey="230509" SVKey="230509r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /dev/shm with the nosuid option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-08-040122" disa="1764" severity="medium"> +- <VMSinfo VKey="230510" SVKey="230510r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /dev/shm with the noexec option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_tmp_nodev" ownerid="RHEL-08-040123" disa="1764" severity="medium"> +- <VMSinfo VKey="230511" SVKey="230511r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /tmp with the nodev option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_tmp_nosuid" ownerid="RHEL-08-040124" disa="1764" severity="medium"> +- <VMSinfo VKey="230512" SVKey="230512r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /tmp with the nosuid option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_tmp_noexec" ownerid="RHEL-08-040125" disa="1764" severity="medium"> +- <VMSinfo VKey="230513" SVKey="230513r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /tmp with the noexec option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_log_nodev" ownerid="RHEL-08-040126" disa="1764" severity="medium"> +- <VMSinfo VKey="230514" SVKey="230514r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/log with the nodev option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_log_nosuid" ownerid="RHEL-08-040127" disa="1764" severity="medium"> +- <VMSinfo VKey="230515" SVKey="230515r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/log with the nosuid option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_log_noexec" ownerid="RHEL-08-040128" disa="1764" severity="medium"> +- <VMSinfo VKey="230516" SVKey="230516r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/log with the noexec option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_log_audit_nodev" ownerid="RHEL-08-040129" disa="1764" severity="medium"> +- <VMSinfo VKey="230517" SVKey="230517r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/log/audit with the nodev option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_log_audit_nosuid" ownerid="RHEL-08-040130" disa="1764" severity="medium"> +- <VMSinfo VKey="230518" SVKey="230518r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/log/audit with the nosuid option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_log_audit_noexec" ownerid="RHEL-08-040131" disa="1764" severity="medium"> +- <VMSinfo VKey="230519" SVKey="230519r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/log/audit with the noexec option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_tmp_nodev" ownerid="RHEL-08-040132" disa="1764" severity="medium"> +- <VMSinfo VKey="230520" SVKey="230520r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/tmp with the nodev option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_tmp_nosuid" ownerid="RHEL-08-040133" disa="1764" severity="medium"> +- <VMSinfo VKey="230521" SVKey="230521r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/tmp with the nosuid option."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_var_tmp_noexec" ownerid="RHEL-08-040134" disa="1764" severity="medium"> +- <VMSinfo VKey="230522" SVKey="230522r6277" VRelease="r627750"/> +- <title text="RHEL 8 must mount /var/tmp with the noexec option."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_fapolicyd_enabled" ownerid="RHEL-08-040135" disa="1764" severity="medium"> +- <VMSinfo VKey="230523" SVKey="230523r6277" VRelease="r627750"/> +- <title text="The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_usbguard_enabled" ownerid="RHEL-08-040140" disa="1958" severity="medium"> +- <VMSinfo VKey="230524" SVKey="230524r6277" VRelease="r627750"/> +- <title text="RHEL 8 must block unauthorized peripherals before establishing a connection."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040150" disa="2385" severity="medium"> +- <VMSinfo VKey="230525" SVKey="230525r6277" VRelease="r627750"/> +- <title text="A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-08-040160" disa="2418" severity="medium"> +- <VMSinfo VKey="230526" SVKey="230526r6277" VRelease="r627750"/> +- <title text="All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_rekey_limit" ownerid="RHEL-08-040161" disa="68" severity="medium"> +- <VMSinfo VKey="230527" SVKey="230527r6277" VRelease="r627750"/> +- <title text="RHEL 8 must force a frequent session key renegotiation for SSH connections to the server."/> +- </overlay> +- <overlay owner="disastig" ruleid="ssh_client_rekey_limit" ownerid="RHEL-08-040162" disa="68" severity="medium"> +- <VMSinfo VKey="230528" SVKey="230528r6277" VRelease="r627750"/> +- <title text="RHEL 8 must force a frequent session key renegotiation for SSH connections by the client."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-08-040170" disa="366" severity="high"> +- <VMSinfo VKey="230529" SVKey="230529r6277" VRelease="r627750"/> +- <title text="The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-08-040171" disa="366" severity="high"> +- <VMSinfo VKey="230530" SVKey="230530r6468" VRelease="r646883"/> +- <title text="The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_ctrlaltdel_burstaction" ownerid="RHEL-08-040172" disa="366" severity="high"> +- <VMSinfo VKey="230531" SVKey="230531r6277" VRelease="r627750"/> +- <title text="The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_debug-shell_disabled" ownerid="RHEL-08-040180" disa="366" severity="medium"> +- <VMSinfo VKey="230532" SVKey="230532r6277" VRelease="r627750"/> +- <title text="The debug-shell systemd service must be disabled on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-08-040190" disa="366" severity="high"> +- <VMSinfo VKey="230533" SVKey="230533r6277" VRelease="r627750"/> +- <title text="The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-08-040200" disa="366" severity="high"> +- <VMSinfo VKey="230534" SVKey="230534r6277" VRelease="r627750"/> +- <title text="The root account must be the only account having unrestricted access to the RHEL 8 system."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_redirects" ownerid="RHEL-08-040210" disa="366" severity="medium"> +- <VMSinfo VKey="230535" SVKey="230535r6277" VRelease="r627750"/> +- <title text="RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-08-040220" disa="366" severity="medium"> +- <VMSinfo VKey="230536" SVKey="230536r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-08-040230" disa="366" severity="medium"> +- <VMSinfo VKey="230537" SVKey="230537r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-08-040240" disa="366" severity="medium"> +- <VMSinfo VKey="230538" SVKey="230538r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not forward source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_source_route" ownerid="RHEL-08-040250" disa="366" severity="medium"> +- <VMSinfo VKey="230539" SVKey="230539r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not forward source-routed packets by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-08-040260" disa="366" severity="medium"> +- <VMSinfo VKey="230540" SVKey="230540r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not be performing packet forwarding unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_ra" ownerid="RHEL-08-040261" disa="366" severity="medium"> +- <VMSinfo VKey="230541" SVKey="230541r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not accept router advertisements on all IPv6 interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_ra" ownerid="RHEL-08-040262" disa="366" severity="medium"> +- <VMSinfo VKey="230542" SVKey="230542r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not accept router advertisements on all IPv6 interfaces by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-08-040270" disa="366" severity="medium"> +- <VMSinfo VKey="230543" SVKey="230543r6277" VRelease="r627750"/> +- <title text="RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_redirects" ownerid="RHEL-08-040280" disa="366" severity="medium"> +- <VMSinfo VKey="230544" SVKey="230544r6277" VRelease="r627750"/> +- <title text="RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_unprivileged_bpf_disabled" ownerid="RHEL-08-040281" disa="366" severity="medium"> +- <VMSinfo VKey="230545" SVKey="230545r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable access to network bpf syscall from unprivileged processes."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_yama_ptrace_scope" ownerid="RHEL-08-040282" disa="366" severity="medium"> +- <VMSinfo VKey="230546" SVKey="230546r6277" VRelease="r627750"/> +- <title text="RHEL 8 must restrict usage of ptrace to descendant processes."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="RHEL-08-040283" disa="366" severity="medium"> +- <VMSinfo VKey="230547" SVKey="230547r6277" VRelease="r627750"/> +- <title text="RHEL 8 must restrict exposed kernel pointer addresses access."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_user_max_user_namespaces" ownerid="RHEL-08-040284" disa="366" severity="medium"> +- <VMSinfo VKey="230548" SVKey="230548r6277" VRelease="r627750"/> +- <title text="RHEL 8 must disable the use of user namespaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-08-040285" disa="366" severity="medium"> +- <VMSinfo VKey="230549" SVKey="230549r6277" VRelease="r627750"/> +- <title text="RHEL 8 must use reverse path filtering on all IPv4 interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-08-040290" disa="366" severity="medium"> +- <VMSinfo VKey="230550" SVKey="230550r6277" VRelease="r627750"/> +- <title text="RHEL 8 must be configured to prevent unrestricted mail relaying."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-08-040300" disa="366" severity="low"> +- <VMSinfo VKey="230551" SVKey="230551r6277" VRelease="r627750"/> +- <title text="The RHEL 8 file integrity tool must be configured to verify extended attributes."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-08-040310" disa="366" severity="low"> +- <VMSinfo VKey="230552" SVKey="230552r6277" VRelease="r627750"/> +- <title text="The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="xwindows_remove_packages" ownerid="RHEL-08-040320" disa="366" severity="medium"> +- <VMSinfo VKey="230553" SVKey="230553r6468" VRelease="r646886"/> +- <title text="The graphical display manager must not be installed on RHEL 8 unless approved."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-08-040330" disa="366" severity="medium"> +- <VMSinfo VKey="230554" SVKey="230554r6277" VRelease="r627750"/> +- <title text="RHEL 8 network interfaces must not be in promiscuous mode."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="RHEL-08-040340" disa="366" severity="medium"> +- <VMSinfo VKey="230555" SVKey="230555r6277" VRelease="r627750"/> +- <title text="RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="RHEL-08-040341" disa="366" severity="medium"> +- <VMSinfo VKey="230556" SVKey="230556r6277" VRelease="r627750"/> +- <title text="The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display."/> +- </overlay> +- <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-08-040350" disa="366" severity="medium"> +- <VMSinfo VKey="230557" SVKey="230557r6277" VRelease="r627750"/> +- <title text="If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-08-040360" disa="366" severity="high"> +- <VMSinfo VKey="230558" SVKey="230558r6277" VRelease="r627750"/> +- <title text="A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_gssproxy_removed" ownerid="RHEL-08-040370" disa="381" severity="medium"> +- <VMSinfo VKey="230559" SVKey="230559r6468" VRelease="r646887"/> +- <title text="The gssproxy package must not be installed unless mission essential on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_iprutils_removed" ownerid="RHEL-08-040380" disa="366" severity="medium"> +- <VMSinfo VKey="230560" SVKey="230560r6277" VRelease="r627750"/> +- <title text="The iprutils package must not be installed unless mission essential on RHEL 8."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_tuned_removed" ownerid="RHEL-08-040390" disa="366" severity="medium"> +- <VMSinfo VKey="230561" SVKey="230561r6277" VRelease="r627750"/> +- <title text="The tuned package must not be installed unless mission essential on RHEL 8."/> +- </overlay> +-</overlays> +diff --git a/products/sle12/overlays/stig_overlay.xml b/products/sle12/overlays/stig_overlay.xml +deleted file mode 100644 +index 7de78806ce2..00000000000 +--- a/products/sle12/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,811 +0,0 @@ +-<?xml version="1.0" encoding="UTF-8"?> +-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> +- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="SLES-12-010000" disa="1230" severity="high"> +- <VMSinfo VKey="217101" SVKey="217101r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be a vendor-supported release."/> +- </overlay> +- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="SLES-12-010010" disa="1227" severity="medium"> +- <VMSinfo VKey="217102" SVKey="217102r6032" VRelease="r603262"/> +- <title text="Vendor-packaged SUSE operating system security patches and updates must be installed and up to date."/> +- </overlay> +- <overlay owner="disastig" ruleid="gui_login_dod_acknowledgement" ownerid="SLES-12-010020" disa="50" severity="medium"> +- <VMSinfo VKey="217103" SVKey="217103r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="SLES-12-010030" disa="48" severity="medium"> +- <VMSinfo VKey="217104" SVKey="217104r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="SLES-12-010040" disa="1388" severity="medium"> +- <VMSinfo VKey="217105" SVKey="217105r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="SLES-12-010050" disa="1384" severity="medium"> +- <VMSinfo VKey="217106" SVKey="217106r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010060" disa="60" severity="medium"> +- <VMSinfo VKey="217107" SVKey="217107r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be able to lock the graphical user interface (GUI)."/> +- </overlay> +- <overlay owner="disastig" ruleid="vlock_installed" ownerid="SLES-12-010070" disa="58" severity="low"> +- <VMSinfo VKey="217108" SVKey="217108r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must utilize vlock to allow for session locking."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-12-010080" disa="57" severity="medium"> +- <VMSinfo VKey="217109" SVKey="217109r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-12-010090" disa="57" severity="medium"> +- <VMSinfo VKey="217110" SVKey="217110r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010100" disa="60" severity="low"> +- <VMSinfo VKey="217111" SVKey="217111r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="SLES-12-010110" disa="2038" severity="high"> +- <VMSinfo VKey="217112" SVKey="217112r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="SLES-12-010120" disa="54" severity="low"> +- <VMSinfo VKey="217113" SVKey="217113r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_tally2" ownerid="SLES-12-010130" disa="44" severity="medium"> +- <VMSinfo VKey="217114" SVKey="217114r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must lock an account after three consecutive invalid access attempts."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="SLES-12-010140" disa="366" severity="medium"> +- <VMSinfo VKey="217116" SVKey="217116r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_ucredit" ownerid="SLES-12-010150" disa="192" severity="medium"> +- <VMSinfo VKey="217117" SVKey="217117r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one upper-case character."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_lcredit" ownerid="SLES-12-010160" disa="193" severity="medium"> +- <VMSinfo VKey="217118" SVKey="217118r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one lower-case character."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_dcredit" ownerid="SLES-12-010170" disa="194" severity="medium"> +- <VMSinfo VKey="217119" SVKey="217119r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one numeric character."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_ocredit" ownerid="SLES-12-010180" disa="1619" severity="medium"> +- <VMSinfo VKey="217120" SVKey="217120r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one special character."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_difok" ownerid="SLES-12-010190" disa="195" severity="medium"> +- <VMSinfo VKey="217121" SVKey="217121r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="SLES-12-010210" disa="803" severity="medium"> +- <VMSinfo VKey="217122" SVKey="217122r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_all_shadowed_sha512" ownerid="SLES-12-010220" disa="196" severity="medium"> +- <VMSinfo VKey="217123" SVKey="217123r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="SLES-12-010230" disa="803" severity="medium"> +- <VMSinfo VKey="217124" SVKey="217124r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="SLES-12-010231" disa="366" severity="medium"> +- <VMSinfo VKey="217125" SVKey="217125r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not be configured to allow blank or null passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_min_rounds_logindefs" ownerid="SLES-12-010240" disa="803" severity="medium"> +- <VMSinfo VKey="217126" SVKey="217126r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_minlen" ownerid="SLES-12-010250" disa="205" severity="medium"> +- <VMSinfo VKey="217127" SVKey="217127r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ passwords with a minimum of 15 characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="SLES-12-010260" disa="198" severity="medium"> +- <VMSinfo VKey="217128" SVKey="217128r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (1 day)."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="SLES-12-010270" disa="198" severity="medium"> +- <VMSinfo VKey="217129" SVKey="217129r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (1 day)."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="SLES-12-010280" disa="199" severity="medium"> +- <VMSinfo VKey="217130" SVKey="217130r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="SLES-12-010290" disa="199" severity="medium"> +- <VMSinfo VKey="217131" SVKey="217131r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ user passwords with a maximum lifetime of 60 days."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_etc_security_opasswd" ownerid="SLES-12-010300" disa="200" severity="medium"> +- <VMSinfo VKey="217132" SVKey="217132r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must employ a password history file."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_pam_pwhistory_remember" ownerid="SLES-12-010310" disa="200" severity="medium"> +- <VMSinfo VKey="217133" SVKey="217133r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_retry" ownerid="SLES-12-010320" disa="366" severity="medium"> +- <VMSinfo VKey="217134" SVKey="217134r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must prevent the use of dictionary words for passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_emergency_admin" ownerid="SLES-12-010330" disa="1682" severity="medium"> +- <VMSinfo VKey="217135" SVKey="217135r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must never automatically remove or disable emergency administrator accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="SLES-12-010340" disa="795" severity="medium"> +- <VMSinfo VKey="217136" SVKey="217136r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="SLES-12-010360" disa="16" severity="medium"> +- <VMSinfo VKey="217137" SVKey="217137r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must provision temporary accounts with an expiration date for 72 hours."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faildelay_delay" ownerid="SLES-12-010370" disa="366" severity="medium"> +- <VMSinfo VKey="217138" SVKey="217138r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/> +- </overlay> +- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="SLES-12-010380" disa="366" severity="high"> +- <VMSinfo VKey="217139" SVKey="217139r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow unattended or automatic logon via the graphical user interface."/> +- </overlay> +- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="SLES-12-010390" disa="366" severity="low"> +- <VMSinfo VKey="217140" SVKey="217140r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the date and time of the last successful account logon upon logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="SLES-12-010400" disa="366" severity="high"> +- <VMSinfo VKey="217141" SVKey="217141r6032" VRelease="r603262"/> +- <title text="There must be no .shosts files on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="SLES-12-010410" disa="366" severity="high"> +- <VMSinfo VKey="217142" SVKey="217142r6032" VRelease="r603262"/> +- <title text="There must be no shosts.equiv files on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010420" disa="2450" severity="medium"> +- <VMSinfo VKey="217143" SVKey="217143r6032" VRelease="r603262"/> +- <title text="FIPS 140-2 mode must be enabled on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_password" ownerid="SLES-12-010430" disa="213" severity="medium"> +- <VMSinfo VKey="217144" SVKey="217144r6032" VRelease="r603262"/> +- <title text="SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="SLES-12-010440" disa="213" severity="medium"> +- <VMSinfo VKey="217145" SVKey="217145r6032" VRelease="r603262"/> +- <title text="SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/> +- </overlay> +- <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="SLES-12-010450" disa="2475" severity="medium"> +- <VMSinfo VKey="217146" SVKey="217146r6032" VRelease="r603262"/> +- <title text="All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_sticky_bits" ownerid="SLES-12-010460" disa="1090" severity="medium"> +- <VMSinfo VKey="217147" SVKey="217147r6032" VRelease="r603262"/> +- <title text="The sticky bit must be set on all SUSE operating system world-writable directories."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_aide_installed" ownerid="SLES-12-010500" disa="1744" severity="medium"> +- <VMSinfo VKey="217148" SVKey="217148r6032" VRelease="r603262"/> +- <title text="Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="SLES-12-010510" disa="2702" severity="medium"> +- <VMSinfo VKey="217149" SVKey="217149r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="SLES-12-010520" disa="366" severity="low"> +- <VMSinfo VKey="217150" SVKey="217150r6032" VRelease="r603262"/> +- <title text="The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="SLES-12-010530" disa="366" severity="low"> +- <VMSinfo VKey="217151" SVKey="217151r6032" VRelease="r603262"/> +- <title text="The SUSE operating system file integrity tool must be configured to verify extended attributes."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_check_audit_tools" ownerid="SLES-12-010540" disa="1496" severity="medium"> +- <VMSinfo VKey="217152" SVKey="217152r6032" VRelease="r603262"/> +- <title text="The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="SLES-12-010550" disa="1749" severity="medium"> +- <VMSinfo VKey="217153" SVKey="217153r6032" VRelease="r603262"/> +- <title text="The SUSE operating system tool zypper must have gpgcheck enabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="SLES-12-010570" disa="2617" severity="medium"> +- <VMSinfo VKey="217154" SVKey="217154r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must remove all outdated software components after updated versions have been installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="SLES-12-010580" disa="1958" severity="medium"> +- <VMSinfo VKey="217155" SVKey="217155r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must disable the USB mass storage kernel module."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="SLES-12-010590" disa="1958" severity="medium"> +- <VMSinfo VKey="217156" SVKey="217156r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must disable the file system automounter unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="SLES-12-010599" disa="1233" severity="medium"> +- <VMSinfo VKey="222385" SVKey="222385r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must have a host-based intrusion detection tool installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010600" disa="2235" severity="medium"> +- <VMSinfo VKey="217158" SVKey="217158r6032" VRelease="r603262"/> +- <title text="The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-010610" disa="366" severity="high"> +- <VMSinfo VKey="217159" SVKey="217159r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="SLES-12-010611" disa="366" severity="high"> +- <VMSinfo VKey="217160" SVKey="217160r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="SLES-12-010620" disa="366" severity="medium"> +- <VMSinfo VKey="217161" SVKey="217161r6032" VRelease="r603262"/> +- <title text="The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_authorized_local_users" ownerid="SLES-12-010630" disa="366" severity="medium"> +- <VMSinfo VKey="217162" SVKey="217162r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not have unnecessary accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_unique_id" ownerid="SLES-12-010640" disa="764" severity="medium"> +- <VMSinfo VKey="217163" SVKey="217163r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="SLES-12-010650" disa="366" severity="high"> +- <VMSinfo VKey="217164" SVKey="217164r6032" VRelease="r603262"/> +- <title text="The SUSE operating system root account must be the only account having unrestricted access to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_memcache_timeout" ownerid="SLES-12-010670" disa="2007" severity="medium"> +- <VMSinfo VKey="217166" SVKey="217166r6032" VRelease="r603262"/> +- <title text="If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_offline_cred_expiration" ownerid="SLES-12-010680" disa="2007" severity="medium"> +- <VMSinfo VKey="217167" SVKey="217167r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="SLES-12-010690" disa="2165" severity="medium"> +- <VMSinfo VKey="217168" SVKey="217168r6032" VRelease="r603262"/> +- <title text="All SUSE operating system files and directories must have a valid owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="SLES-12-010700" disa="2165" severity="medium"> +- <VMSinfo VKey="217169" SVKey="217169r6032" VRelease="r603262"/> +- <title text="All SUSE operating system files and directories must have a valid group owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_defined" ownerid="SLES-12-010710" disa="366" severity="medium"> +- <VMSinfo VKey="217170" SVKey="217170r6038" VRelease="r603883"/> +- <title text="All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="SLES-12-010720" disa="366" severity="medium"> +- <VMSinfo VKey="217171" SVKey="217171r6032" VRelease="r603262"/> +- <title text="All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="SLES-12-010730" disa="366" severity="medium"> +- <VMSinfo VKey="217172" SVKey="217172r6038" VRelease="r603885"/> +- <title text="All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="SLES-12-010740" disa="366" severity="medium"> +- <VMSinfo VKey="217173" SVKey="217173r6038" VRelease="r603887"/> +- <title text="All SUSE operating system local interactive user home directories must have mode 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="SLES-12-010750" disa="366" severity="medium"> +- <VMSinfo VKey="217174" SVKey="217174r6038" VRelease="r603889"/> +- <title text="All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="SLES-12-010760" disa="366" severity="medium"> +- <VMSinfo VKey="217175" SVKey="217175r6032" VRelease="r603262"/> +- <title text="All SUSE operating system local initialization files must have mode 0740 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="SLES-12-010770" disa="366" severity="medium"> +- <VMSinfo VKey="217176" SVKey="217176r6032" VRelease="r603262"/> +- <title text="All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="SLES-12-010780" disa="366" severity="medium"> +- <VMSinfo VKey="217177" SVKey="217177r6032" VRelease="r603262"/> +- <title text="All SUSE operating system local initialization files must not execute world-writable programs."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="SLES-12-010790" disa="366" severity="medium"> +- <VMSinfo VKey="217178" SVKey="217178r6038" VRelease="r603891"/> +- <title text="SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="SLES-12-010800" disa="366" severity="medium"> +- <VMSinfo VKey="217179" SVKey="217179r6032" VRelease="r603262"/> +- <title text="SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="SLES-12-010810" disa="366" severity="medium"> +- <VMSinfo VKey="217180" SVKey="217180r6032" VRelease="r603262"/> +- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="SLES-12-010820" disa="366" severity="medium"> +- <VMSinfo VKey="217181" SVKey="217181r6032" VRelease="r603262"/> +- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="SLES-12-010830" disa="366" severity="medium"> +- <VMSinfo VKey="217182" SVKey="217182r6032" VRelease="r603262"/> +- <title text="All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="SLES-12-010840" disa="366" severity="medium"> +- <VMSinfo VKey="217183" SVKey="217183r6032" VRelease="r603262"/> +- <title text="SUSE operating system kernel core dumps must be disabled unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_home" ownerid="SLES-12-010850" disa="366" severity="low"> +- <VMSinfo VKey="217184" SVKey="217184r6038" VRelease="r603893"/> +- <title text="A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var" ownerid="SLES-12-010860" disa="366" severity="low"> +- <VMSinfo VKey="217185" SVKey="217185r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must use a separate file system for /var."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="SLES-12-010870" disa="366" severity="low"> +- <VMSinfo VKey="217186" SVKey="217186r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must use a separate file system for the system audit data path."/> +- </overlay> +- <overlay owner="disastig" ruleid="run_chkstat" ownerid="SLES-12-010880" disa="1499" severity="medium"> +- <VMSinfo VKey="217187" SVKey="217187r6032" VRelease="r603262"/> +- <title text="SUSE operating system commands and libraries must have the proper permissions to protect from unauthorized access."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_messages" ownerid="SLES-12-010890" disa="1314" severity="medium"> +- <VMSinfo VKey="217188" SVKey="217188r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must prevent unauthorized users from accessing system error messages."/> +- </overlay> +- <overlay owner="disastig" ruleid="pam_disable_automatic_configuration" ownerid="SLES-12-010910" disa="366" severity="medium"> +- <VMSinfo VKey="217189" SVKey="217189r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_audit_installed" ownerid="SLES-12-020000" disa="1914" severity="medium"> +- <VMSinfo VKey="217190" SVKey="217190r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must have the auditing package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="SLES-12-020010" disa="2884" severity="medium"> +- <VMSinfo VKey="217191" SVKey="217191r6032" VRelease="r603262"/> +- <title text="SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_sufficiently_large_partition" ownerid="SLES-12-020020" disa="1849" severity="medium"> +- <VMSinfo VKey="217192" SVKey="217192r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="SLES-12-020030" disa="1855" severity="medium"> +- <VMSinfo VKey="217193" SVKey="217193r6032" VRelease="r603262"/> +- <title text="The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="SLES-12-020040" disa="139" severity="medium"> +- <VMSinfo VKey="217194" SVKey="217194r6032" VRelease="r603262"/> +- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event."/> +- </overlay> +- <overlay owner="disastig" ruleid="postfix_client_configure_mail_alias" ownerid="SLES-12-020050" disa="139" severity="medium"> +- <VMSinfo VKey="217195" SVKey="217195r6032" VRelease="r603262"/> +- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_disk_full_action" ownerid="SLES-12-020060" disa="140" severity="medium"> +- <VMSinfo VKey="217196" SVKey="217196r6032" VRelease="r603262"/> +- <title text="The SUSE operating system audit system must take appropriate action when the audit storage volume is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_audit-audispd-plugins_installed" ownerid="SLES-12-020070" disa="1851" severity="medium"> +- <VMSinfo VKey="217197" SVKey="217197r6032" VRelease="r603262"/> +- <title text="The audit-audispd-plugins must be installed on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="SLES-12-020080" disa="1851" severity="low"> +- <VMSinfo VKey="217198" SVKey="217198r6032" VRelease="r603262"/> +- <title text="The SUSE operating system audit event multiplexor must be configured to use Kerberos."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="SLES-12-020090" disa="1851" severity="low"> +- <VMSinfo VKey="217199" SVKey="217199r6032" VRelease="r603262"/> +- <title text="Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="SLES-12-020100" disa="1851" severity="medium"> +- <VMSinfo VKey="217200" SVKey="217200r6032" VRelease="r603262"/> +- <title text="The audit system must take appropriate action when the network cannot be used to off-load audit records."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="SLES-12-020110" disa="1851" severity="medium"> +- <VMSinfo VKey="217201" SVKey="217201r6032" VRelease="r603262"/> +- <title text="Audispd must take appropriate action when the SUSE operating system audit storage is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="permissions_local_var_log_audit" ownerid="SLES-12-020120" disa="164" severity="medium"> +- <VMSinfo VKey="217202" SVKey="217202r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must protect audit rules from unauthorized modification."/> +- </overlay> +- <overlay owner="disastig" ruleid="permissions_local_audit_binaries" ownerid="SLES-12-020130" disa="1495" severity="medium"> +- <VMSinfo VKey="217203" SVKey="217203r6032" VRelease="r603262"/> +- <title text="The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_enable_syscall_auditing" ownerid="SLES-12-020199" disa="366" severity="medium"> +- <VMSinfo VKey="217204" SVKey="217204r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not disable syscall auditing"/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="SLES-12-020200" disa="2132" severity="medium"> +- <VMSinfo VKey="217205" SVKey="217205r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="SLES-12-020210" disa="2130" severity="medium"> +- <VMSinfo VKey="217206" SVKey="217206r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="SLES-12-020220" disa="2132" severity="medium"> +- <VMSinfo VKey="217207" SVKey="217207r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="SLES-12-020230" disa="2130" severity="medium"> +- <VMSinfo VKey="217208" SVKey="217208r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_suid_privilege_function" ownerid="SLES-12-020240" disa="1882" severity="low"> +- <VMSinfo VKey="217209" SVKey="217209r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the privileged functions."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="SLES-12-020250" disa="2884" severity="medium"> +- <VMSinfo VKey="217210" SVKey="217210r6038" VRelease="r603896"/> +- <title text="The SUSE operating system must generate audit records for all uses of the su command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-12-020260" disa="2884" severity="low"> +- <VMSinfo VKey="217211" SVKey="217211r6038" VRelease="r603899"/> +- <title text="The SUSE operating system must generate audit records for all uses of the sudo command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chfn" ownerid="SLES-12-020280" disa="2884" severity="low"> +- <VMSinfo VKey="217212" SVKey="217212r6039" VRelease="r603902"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chfn command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="SLES-12-020290" disa="2884" severity="low"> +- <VMSinfo VKey="217213" SVKey="217213r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the mount command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="SLES-12-020300" disa="2884" severity="low"> +- <VMSinfo VKey="217214" SVKey="217214r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the umount command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_agent" ownerid="SLES-12-020310" disa="2884" severity="low"> +- <VMSinfo VKey="217215" SVKey="217215r6039" VRelease="r603905"/> +- <title text="The SUSE operating system must generate audit records for all uses of the ssh-agent command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="SLES-12-020320" disa="2884" severity="low"> +- <VMSinfo VKey="217216" SVKey="217216r6039" VRelease="r603908"/> +- <title text="The SUSE operating system must generate audit records for all uses of the ssh-keysign command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_kmod" ownerid="SLES-12-020360" disa="2884" severity="medium"> +- <VMSinfo VKey="217217" SVKey="217217r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the kmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="SLES-12-020370" disa="2884" severity="medium"> +- <VMSinfo VKey="217218" SVKey="217218r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the setxattr command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="SLES-12-020380" disa="2884" severity="medium"> +- <VMSinfo VKey="217219" SVKey="217219r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fsetxattr command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="SLES-12-020390" disa="2884" severity="medium"> +- <VMSinfo VKey="217220" SVKey="217220r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the removexattr command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="SLES-12-020400" disa="2884" severity="medium"> +- <VMSinfo VKey="217221" SVKey="217221r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the lremovexattr command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="SLES-12-020410" disa="2884" severity="medium"> +- <VMSinfo VKey="217222" SVKey="217222r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fremovexattr command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="SLES-12-020420" disa="2884" severity="medium"> +- <VMSinfo VKey="217223" SVKey="217223r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chown command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="SLES-12-020430" disa="2884" severity="medium"> +- <VMSinfo VKey="217224" SVKey="217224r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchown command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="SLES-12-020440" disa="2884" severity="medium"> +- <VMSinfo VKey="217225" SVKey="217225r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the lchown command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="SLES-12-020450" disa="2884" severity="medium"> +- <VMSinfo VKey="217226" SVKey="217226r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchownat command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="SLES-12-020460" disa="2884" severity="medium"> +- <VMSinfo VKey="217227" SVKey="217227r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="SLES-12-020470" disa="2884" severity="medium"> +- <VMSinfo VKey="217228" SVKey="217228r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="SLES-12-020480" disa="2884" severity="medium"> +- <VMSinfo VKey="217229" SVKey="217229r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchmodat command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="SLES-12-020490" disa="2884" severity="medium"> +- <VMSinfo VKey="217230" SVKey="217230r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the open command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="SLES-12-020500" disa="172" severity="medium"> +- <VMSinfo VKey="217231" SVKey="217231r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the truncate command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="SLES-12-020510" disa="2884" severity="medium"> +- <VMSinfo VKey="217232" SVKey="217232r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the ftruncate command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="SLES-12-020520" disa="2884" severity="medium"> +- <VMSinfo VKey="217233" SVKey="217233r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the creat command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="SLES-12-020530" disa="2884" severity="medium"> +- <VMSinfo VKey="217234" SVKey="217234r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the openat command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="SLES-12-020540" disa="2884" severity="medium"> +- <VMSinfo VKey="217235" SVKey="217235r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the open_by_handle_at command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="SLES-12-020550" disa="2884" severity="low"> +- <VMSinfo VKey="217236" SVKey="217236r6039" VRelease="r603911"/> +- <title text="The SUSE operating system must generate audit records for all uses of the passwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="SLES-12-020560" disa="2884" severity="low"> +- <VMSinfo VKey="217237" SVKey="217237r6039" VRelease="r603914"/> +- <title text="The SUSE operating system must generate audit records for all uses of the gpasswd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="SLES-12-020570" disa="2884" severity="low"> +- <VMSinfo VKey="217238" SVKey="217238r6039" VRelease="r603917"/> +- <title text="The SUSE operating system must generate audit records for all uses of the newgrp command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="SLES-12-020580" disa="2884" severity="low"> +- <VMSinfo VKey="217239" SVKey="217239r6039" VRelease="r603920"/> +- <title text="The SUSE operating system must generate audit records for a uses of the chsh command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="SLES-12-020590" disa="2130" severity="medium"> +- <VMSinfo VKey="217240" SVKey="217240r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_chmod" ownerid="SLES-12-020600" disa="2884" severity="medium"> +- <VMSinfo VKey="217241" SVKey="217241r6039" VRelease="r603923"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_setfacl" ownerid="SLES-12-020610" disa="2884" severity="medium"> +- <VMSinfo VKey="217242" SVKey="217242r6039" VRelease="r603926"/> +- <title text="The SUSE operating system must generate audit records for all uses of the setfacl command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_chacl" ownerid="SLES-12-020620" disa="2884" severity="medium"> +- <VMSinfo VKey="217243" SVKey="217243r6039" VRelease="r603929"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chacl command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="SLES-12-020630" disa="2884" severity="medium"> +- <VMSinfo VKey="217244" SVKey="217244r6039" VRelease="r603932"/> +- <title text="Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_rm" ownerid="SLES-12-020640" disa="2884" severity="medium"> +- <VMSinfo VKey="217245" SVKey="217245r6039" VRelease="r603935"/> +- <title text="The SUSE operating system must generate audit records for all uses of the rm command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_tallylog" ownerid="SLES-12-020650" disa="2884" severity="medium"> +- <VMSinfo VKey="217246" SVKey="217246r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="SLES-12-020660" disa="2884" severity="medium"> +- <VMSinfo VKey="217247" SVKey="217247r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all modifications to the lastlog file."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passmass" ownerid="SLES-12-020670" disa="2884" severity="medium"> +- <VMSinfo VKey="217248" SVKey="217248r6039" VRelease="r603938"/> +- <title text="The SUSE operating system must generate audit records for all uses of the passmass command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="SLES-12-020680" disa="2884" severity="medium"> +- <VMSinfo VKey="217249" SVKey="217249r6039" VRelease="r603941"/> +- <title text="The SUSE operating system must generate audit records for all uses of the unix_chkpwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="SLES-12-020690" disa="2884" severity="medium"> +- <VMSinfo VKey="217250" SVKey="217250r6039" VRelease="r603944"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chage command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_usermod" ownerid="SLES-12-020700" disa="2884" severity="medium"> +- <VMSinfo VKey="217251" SVKey="217251r6039" VRelease="r603947"/> +- <title text="The SUSE operating system must generate audit records for all uses of the usermod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="SLES-12-020710" disa="2884" severity="medium"> +- <VMSinfo VKey="217252" SVKey="217252r6039" VRelease="r603950"/> +- <title text="The SUSE operating system must generate audit records for all uses of the crontab command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="SLES-12-020720" disa="2884" severity="medium"> +- <VMSinfo VKey="217253" SVKey="217253r6039" VRelease="r603953"/> +- <title text="The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="SLES-12-020730" disa="2884" severity="medium"> +- <VMSinfo VKey="217254" SVKey="217254r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the delete_module command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="SLES-12-020740" disa="2884" severity="medium"> +- <VMSinfo VKey="217255" SVKey="217255r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the finit_module command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="SLES-12-020750" disa="2884" severity="medium"> +- <VMSinfo VKey="217256" SVKey="217256r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all uses of the init_module command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_faillog" ownerid="SLES-12-020760" disa="2884" severity="medium"> +- <VMSinfo VKey="217257" SVKey="217257r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must generate audit records for all modifications to the faillog file."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="SLES-12-030000" disa="381" severity="medium"> +- <VMSinfo VKey="217258" SVKey="217258r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not have the telnet-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="ftp_present_banner" ownerid="SLES-12-030010" disa="48" severity="medium"> +- <VMSinfo VKey="217259" SVKey="217259r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SFTP/FTP."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_gdm_banner" ownerid="SLES-12-030020" disa="50" severity="medium"> +- <VMSinfo VKey="217260" SVKey="217260r6032" VRelease="r603262"/> +- <title text="The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text."/> +- </overlay> +- <overlay owner="disastig" ruleid="susefirewall2_only_required_services" ownerid="SLES-12-030030" disa="2080" severity="medium"> +- <VMSinfo VKey="217261" SVKey="217261r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/> +- </overlay> +- <overlay owner="disastig" ruleid="susefirewall2_ddos_protection" ownerid="SLES-12-030040" disa="2385" severity="high"> +- <VMSinfo VKey="217262" SVKey="217262r6032" VRelease="r603262"/> +- <title text="SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="SLES-12-030050" disa="48" severity="medium"> +- <VMSinfo VKey="217263" SVKey="217263r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="SLES-12-030100" disa="2422" severity="high"> +- <VMSinfo VKey="217264" SVKey="217264r6032" VRelease="r603262"/> +- <title text="All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_loglevel_verbose" ownerid="SLES-12-030110" disa="67" severity="medium"> +- <VMSinfo VKey="217265" SVKey="217265r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must log SSH connection attempts and failures to the server."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="SLES-12-030130" disa="366" severity="medium"> +- <VMSinfo VKey="217266" SVKey="217266r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-030140" disa="770" severity="medium"> +- <VMSinfo VKey="217267" SVKey="217267r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must deny direct logons to the root account using remote access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="SLES-12-030150" disa="366" severity="high"> +- <VMSinfo VKey="217268" SVKey="217268r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow automatic logon via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="SLES-12-030151" disa="366" severity="medium"> +- <VMSinfo VKey="217269" SVKey="217269r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow unattended logon via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="SLES-12-030170" disa="2890" severity="medium"> +- <VMSinfo VKey="217270" SVKey="217270r6039" VRelease="r603956"/> +- <title text="The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="SLES-12-030180" disa="3123" severity="medium"> +- <VMSinfo VKey="217271" SVKey="217271r6039" VRelease="r603959"/> +- <title text="The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="SLES-12-030190" disa="2361" severity="medium"> +- <VMSinfo VKey="217272" SVKey="217272r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon must be configured with a timeout interval."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="SLES-12-030191" disa="2361" severity="medium"> +- <VMSinfo VKey="217273" SVKey="217273r6039" VRelease="r603961"/> +- <title text="The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="SLES-12-030200" disa="366" severity="medium"> +- <VMSinfo VKey="217274" SVKey="217274r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="SLES-12-030210" disa="366" severity="medium"> +- <VMSinfo VKey="217275" SVKey="217275r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="SLES-12-030220" disa="366" severity="medium"> +- <VMSinfo VKey="217276" SVKey="217276r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="SLES-12-030230" disa="366" severity="medium"> +- <VMSinfo VKey="217277" SVKey="217277r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="SLES-12-030240" disa="366" severity="medium"> +- <VMSinfo VKey="217278" SVKey="217278r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon must use privilege separation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="SLES-12-030250" disa="366" severity="medium"> +- <VMSinfo VKey="217279" SVKey="217279r6032" VRelease="r603262"/> +- <title text="The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_x11_forwarding" ownerid="SLES-12-030260" disa="366" severity="medium"> +- <VMSinfo VKey="217280" SVKey="217280r6039" VRelease="r603964"/> +- <title text="The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-030261" disa="366" severity="medium"> +- <VMSinfo VKey="233308" SVKey="233308r6033" VRelease="r603331"/> +- <title text="The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="SLES-12-030300" disa="1891" severity="medium"> +- <VMSinfo VKey="217281" SVKey="217281r6032" VRelease="r603262"/> +- <title text="The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_suid_privilege_function" ownerid="SLES-12-030310" disa="1890" severity="low"> +- <VMSinfo VKey="217282" SVKey="217282r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="SLES-12-030320" disa="2824" severity="medium"> +- <VMSinfo VKey="217283" SVKey="217283r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="SLES-12-030330" disa="2824" severity="medium"> +- <VMSinfo VKey="217284" SVKey="217284r6032" VRelease="r603262"/> +- <title text="Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="SLES-12-030340" disa="1851" severity="medium"> +- <VMSinfo VKey="217285" SVKey="217285r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_syncookies" ownerid="SLES-12-030350" disa="1095" severity="medium"> +- <VMSinfo VKey="217286" SVKey="217286r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must be configured to use TCP syncookies."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="SLES-12-030360" disa="366" severity="medium"> +- <VMSinfo VKey="217287" SVKey="217287r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="SLES-12-030361" disa="366" severity="medium"> +- <VMSinfo VKey="217288" SVKey="217288r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="SLES-12-030370" disa="366" severity="medium"> +- <VMSinfo VKey="217289" SVKey="217289r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="SLES-12-030380" disa="366" severity="medium"> +- <VMSinfo VKey="217290" SVKey="217290r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="SLES-12-030390" disa="366" severity="medium"> +- <VMSinfo VKey="217291" SVKey="217291r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="SLES-12-030400" disa="366" severity="medium"> +- <VMSinfo VKey="217292" SVKey="217292r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_source_route" ownerid="SLES-12-030401" disa="366" severity="medium"> +- <VMSinfo VKey="217293" SVKey="217293r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="SLES-12-030410" disa="366" severity="medium"> +- <VMSinfo VKey="217294" SVKey="217294r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="SLES-12-030420" disa="366" severity="medium"> +- <VMSinfo VKey="217295" SVKey="217295r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="SLES-12-030430" disa="366" severity="medium"> +- <VMSinfo VKey="217296" SVKey="217296r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not be performing packet forwarding unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="SLES-12-030440" disa="366" severity="medium"> +- <VMSinfo VKey="217297" SVKey="217297r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented."/> +- </overlay> +- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="SLES-12-030450" disa="2418" severity="medium"> +- <VMSinfo VKey="217298" SVKey="217298r6032" VRelease="r603262"/> +- <title text="The SUSE operating system wireless network adapters must be disabled unless approved and documented."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="SLES-12-030500" disa="1954" severity="medium"> +- <VMSinfo VKey="217299" SVKey="217299r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must have the packages required for multifactor authentication to be installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="SLES-12-030510" disa="1953" severity="medium"> +- <VMSinfo VKey="217300" SVKey="217300r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must implement certificate status checking for multifactor authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_pam_enabled" ownerid="SLES-12-030520" disa="1954" severity="medium"> +- <VMSinfo VKey="217301" SVKey="217301r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_ca" ownerid="SLES-12-030530" disa="1991" severity="medium"> +- <VMSinfo VKey="217302" SVKey="217302r6032" VRelease="r603262"/> +- <title text="The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-030611" disa="1668" severity="high"> +- <VMSinfo VKey="222386" SVKey="222386r6032" VRelease="r603262"/> +- <title text="The SUSE operating system must use a virus scan program."/> +- </overlay> +-</overlays> +diff --git a/products/sle15/overlays/stig_overlay.xml b/products/sle15/overlays/stig_overlay.xml +deleted file mode 100644 +index 2f09bcdeee5..00000000000 +--- a/products/sle15/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,935 +0,0 @@ +-<?xml version="1.0" encoding="UTF-8"?> +-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> +- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="SLES-15-010000" disa="1230" severity="high"> +- <VMSinfo VKey="234800" SVKey="234800r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be a vendor-supported release."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010001" disa="1233" severity="medium"> +- <VMSinfo VKey="234801" SVKey="234801r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP)."/> +- </overlay> +- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="SLES-15-010010" disa="1227" severity="medium"> +- <VMSinfo VKey="234802" SVKey="234802r6221" VRelease="r622137"/> +- <title text="Vendor-packaged SUSE operating system security patches and updates must be installed and up to date."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="SLES-15-010020" disa="48" severity="medium"> +- <VMSinfo VKey="234803" SVKey="234803r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010030" disa="381" severity="high"> +- <VMSinfo VKey="234804" SVKey="234804r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not have the vsftpd package installed if not required for operational support."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="SLES-15-010040" disa="1388" severity="medium"> +- <VMSinfo VKey="234805" SVKey="234805r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="SLES-15-010050" disa="50" severity="medium"> +- <VMSinfo VKey="234806" SVKey="234806r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI)."/> +- </overlay> +- <overlay owner="disastig" ruleid="banner_etc_gdm_banner" ownerid="SLES-15-010060" disa="50" severity="medium"> +- <VMSinfo VKey="234807" SVKey="234807r6221" VRelease="r622137"/> +- <title text="The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="SLES-15-010080" disa="1387" severity="medium"> +- <VMSinfo VKey="234808" SVKey="234808r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="SLES-15-010090" disa="1388" severity="medium"> +- <VMSinfo VKey="234809" SVKey="234809r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010100" disa="56" severity="medium"> +- <VMSinfo VKey="234810" SVKey="234810r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be able to lock the graphical user interface (GUI)."/> +- </overlay> +- <overlay owner="disastig" ruleid="vlock_installed" ownerid="SLES-15-010110" disa="58" severity="low"> +- <VMSinfo VKey="234811" SVKey="234811r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must utilize vlock to allow for session locking."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-15-010120" disa="57" severity="medium"> +- <VMSinfo VKey="234812" SVKey="234812r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI)."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-15-010130" disa="57" severity="medium"> +- <VMSinfo VKey="234813" SVKey="234813r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010140" disa="60" severity="low"> +- <VMSinfo VKey="234814" SVKey="234814r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI)."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_loglevel_verbose" ownerid="SLES-15-010150" disa="67" severity="medium"> +- <VMSinfo VKey="234815" SVKey="234815r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must log SSH connection attempts and failures to the server."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="SLES-15-010160" disa="68" severity="medium"> +- <VMSinfo VKey="234816" SVKey="234816r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_ca" ownerid="SLES-15-010170" disa="1991" severity="medium"> +- <VMSinfo VKey="234817" SVKey="234817r6221" VRelease="r622137"/> +- <title text="The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="SLES-15-010180" disa="381" severity="high"> +- <VMSinfo VKey="234818" SVKey="234818r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not have the telnet-server package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_password" ownerid="SLES-15-010190" disa="213" severity="high"> +- <VMSinfo VKey="234819" SVKey="234819r6221" VRelease="r622137"/> +- <title text="SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes."/> +- </overlay> +- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="SLES-15-010200" disa="213" severity="high"> +- <VMSinfo VKey="234820" SVKey="234820r6221" VRelease="r622137"/> +- <title text="SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="SLES-15-010220" disa="2314" severity="medium"> +- <VMSinfo VKey="234821" SVKey="234821r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_unique_id" ownerid="SLES-15-010230" disa="804" severity="medium"> +- <VMSinfo VKey="234822" SVKey="234822r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="SLES-15-010240" disa="1958" severity="medium"> +- <VMSinfo VKey="234823" SVKey="234823r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must disable the file system automounter unless required."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="SLES-15-010250" disa="803" severity="medium"> +- <VMSinfo VKey="234824" SVKey="234824r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (system-auth)."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="SLES-15-010260" disa="803" severity="medium"> +- <VMSinfo VKey="234825" SVKey="234825r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="SLES-15-010270" disa="3123" severity="medium"> +- <VMSinfo VKey="234826" SVKey="234826r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="SLES-15-010280" disa="2361" severity="medium"> +- <VMSinfo VKey="234827" SVKey="234827r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must be configured with a timeout interval."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_sticky_bits" ownerid="SLES-15-010300" disa="1090" severity="medium"> +- <VMSinfo VKey="234828" SVKey="234828r6221" VRelease="r622137"/> +- <title text="The sticky bit must be set on all SUSE operating system world-writable directories."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_syncookies" ownerid="SLES-15-010310" disa="1095" severity="medium"> +- <VMSinfo VKey="234829" SVKey="234829r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be configured to use TCP syncookies."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="SLES-15-010320" disa="2361" severity="medium"> +- <VMSinfo VKey="234830" SVKey="234830r6221" VRelease="r622137"/> +- <title text="The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010330" disa="2475" severity="medium"> +- <VMSinfo VKey="234831" SVKey="234831r6221" VRelease="r622137"/> +- <title text="All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010340" disa="1312" severity="medium"> +- <VMSinfo VKey="234832" SVKey="234832r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_var_log_messages" ownerid="SLES-15-010350" disa="1314" severity="medium"> +- <VMSinfo VKey="234833" SVKey="234833r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must prevent unauthorized users from accessing system error messages."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010351" disa="1499" severity="medium"> +- <VMSinfo VKey="234834" SVKey="234834r6221" VRelease="r622137"/> +- <title text="The SUSE operating system library files must have mode 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010352" disa="1499" severity="medium"> +- <VMSinfo VKey="234835" SVKey="234835r6221" VRelease="r622137"/> +- <title text="The SUSE operating system library directories must have mode 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010353" disa="1499" severity="medium"> +- <VMSinfo VKey="234836" SVKey="234836r6221" VRelease="r622137"/> +- <title text="The SUSE operating system library files must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010354" disa="1499" severity="medium"> +- <VMSinfo VKey="234837" SVKey="234837r6221" VRelease="r622137"/> +- <title text="The SUSE operating system library directories must be owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010355" disa="1499" severity="medium"> +- <VMSinfo VKey="234838" SVKey="234838r6221" VRelease="r622137"/> +- <title text="The SUSE operating system library files must be group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010356" disa="1499" severity="medium"> +- <VMSinfo VKey="234839" SVKey="234839r6221" VRelease="r622137"/> +- <title text="The SUSE operating system library directories must be group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010357" disa="1499" severity="medium"> +- <VMSinfo VKey="234840" SVKey="234840r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have system commands set to a mode of 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010358" disa="1499" severity="medium"> +- <VMSinfo VKey="234841" SVKey="234841r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010359" disa="1499" severity="medium"> +- <VMSinfo VKey="234842" SVKey="234842r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have system commands owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010360" disa="1499" severity="medium"> +- <VMSinfo VKey="234843" SVKey="234843r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have directories that contain system commands owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010361" disa="1499" severity="medium"> +- <VMSinfo VKey="234844" SVKey="234844r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have system commands group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010362" disa="1499" severity="medium"> +- <VMSinfo VKey="234845" SVKey="234845r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have directories that contain system commands group-owned by root."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010370" disa="2322" severity="medium"> +- <VMSinfo VKey="234846" SVKey="234846r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="SLES-15-010380" disa="2418" severity="medium"> +- <VMSinfo VKey="234847" SVKey="234847r6221" VRelease="r622137"/> +- <title text="The SUSE operating system wireless network adapters must be disabled unless approved and documented."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010390" disa="1774" severity="medium"> +- <VMSinfo VKey="234848" SVKey="234848r6221" VRelease="r622137"/> +- <title text="SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control."/> +- </overlay> +- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="SLES-15-010400" disa="1891" severity="medium"> +- <VMSinfo VKey="234849" SVKey="234849r6221" VRelease="r622137"/> +- <title text="The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010410" disa="1890" severity="low"> +- <VMSinfo VKey="234850" SVKey="234850r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_aide_installed" ownerid="SLES-15-010420" disa="2699" severity="medium"> +- <VMSinfo VKey="234851" SVKey="234851r6221" VRelease="r622137"/> +- <title text="Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly."/> +- </overlay> +- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="SLES-15-010430" disa="1749" severity="high"> +- <VMSinfo VKey="234852" SVKey="234852r6221" VRelease="r622137"/> +- <title text="The SUSE operating system tool zypper must have gpgcheck enabled."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="SLES-15-010450" disa="2038" severity="high"> +- <VMSinfo VKey="234853" SVKey="234853r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges."/> +- </overlay> +- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="SLES-15-010460" disa="1954" severity="medium"> +- <VMSinfo VKey="234854" SVKey="234854r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have the packages required for multifactor authentication to be installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="SLES-15-010470" disa="1948" severity="medium"> +- <VMSinfo VKey="234855" SVKey="234855r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must implement certificate status checking for multifactor authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="SLES-15-010480" disa="1958" severity="medium"> +- <VMSinfo VKey="234856" SVKey="234856r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must disable the USB mass storage kernel module."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_memcache_timeout" ownerid="SLES-15-010490" disa="2007" severity="medium"> +- <VMSinfo VKey="234857" SVKey="234857r6221" VRelease="r622137"/> +- <title text="If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day."/> +- </overlay> +- <overlay owner="disastig" ruleid="sssd_offline_cred_expiration" ownerid="SLES-15-010500" disa="2007" severity="medium"> +- <VMSinfo VKey="234858" SVKey="234858r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010510" disa="2450" severity="high"> +- <VMSinfo VKey="234859" SVKey="234859r6221" VRelease="r622137"/> +- <title text="FIPS 140-2 mode must be enabled on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="SLES-15-010530" disa="2422" severity="high"> +- <VMSinfo VKey="234860" SVKey="234860r6221" VRelease="r622137"/> +- <title text="All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="SLES-15-010540" disa="2824" severity="medium"> +- <VMSinfo VKey="234861" SVKey="234861r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="SLES-15-010550" disa="2824" severity="medium"> +- <VMSinfo VKey="234862" SVKey="234862r6221" VRelease="r622137"/> +- <title text="Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution."/> +- </overlay> +- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="SLES-15-010560" disa="2617" severity="medium"> +- <VMSinfo VKey="234863" SVKey="234863r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must remove all outdated software components after updated versions have been installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010570" disa="2702" severity="medium"> +- <VMSinfo VKey="234864" SVKey="234864r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions."/> +- </overlay> +- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="SLES-15-010580" disa="1851" severity="medium"> +- <VMSinfo VKey="234865" SVKey="234865r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="SLES-15-020000" disa="16" severity="medium"> +- <VMSinfo VKey="234866" SVKey="234866r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must provision temporary accounts with an expiration date for 72 hours."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_tally2" ownerid="SLES-15-020010" disa="2238" severity="medium"> +- <VMSinfo VKey="234867" SVKey="234867r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must lock an account after three consecutive invalid access attempts."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="SLES-15-020020" disa="54" severity="low"> +- <VMSinfo VKey="234868" SVKey="234868r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/> +- </overlay> +- <overlay owner="disastig" ruleid="smartcard_pam_enabled" ownerid="SLES-15-020030" disa="768" severity="medium"> +- <VMSinfo VKey="234869" SVKey="234869r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020040" disa="770" severity="medium"> +- <VMSinfo VKey="234870" SVKey="234870r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must deny direct logons to the root account using remote access via SSH."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="SLES-15-020050" disa="795" severity="medium"> +- <VMSinfo VKey="234871" SVKey="234871r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration."/> +- </overlay> +- <overlay owner="disastig" ruleid="account_emergency_admin" ownerid="SLES-15-020060" disa="1682" severity="medium"> +- <VMSinfo VKey="234872" SVKey="234872r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must never automatically remove or disable emergency administrator accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="SLES-15-020080" disa="366" severity="low"> +- <VMSinfo VKey="234873" SVKey="234873r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display the date and time of the last successful account logon upon logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_authorized_local_users" ownerid="SLES-15-020090" disa="366" severity="medium"> +- <VMSinfo VKey="234874" SVKey="234874r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not have unnecessary accounts."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020091" disa="366" severity="medium"> +- <VMSinfo VKey="234875" SVKey="234875r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not have unnecessary account capabilities."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020100" disa="366" severity="high"> +- <VMSinfo VKey="234876" SVKey="234876r6221" VRelease="r622137"/> +- <title text="The SUSE operating system root account must be the only account with unrestricted access to the system."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020101" disa="366" severity="medium"> +- <VMSinfo VKey="234877" SVKey="234877r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must restrict privilege elevation to authorized personnel."/> +- </overlay> +- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="SLES-15-020102" disa="2038" severity="medium"> +- <VMSinfo VKey="234878" SVKey="234878r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must require re-authentication when using the "sudo" command."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020103" disa="366" severity="medium"> +- <VMSinfo VKey="234879" SVKey="234879r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo"."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="SLES-15-020110" disa="366" severity="medium"> +- <VMSinfo VKey="234880" SVKey="234880r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="SLES-15-020120" disa="366" severity="medium"> +- <VMSinfo VKey="234881" SVKey="234881r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020130" disa="192" severity="medium"> +- <VMSinfo VKey="234882" SVKey="234882r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one uppercase character."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020140" disa="193" severity="medium"> +- <VMSinfo VKey="234883" SVKey="234883r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one lowercase character."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_dcredit" ownerid="SLES-15-020150" disa="194" severity="medium"> +- <VMSinfo VKey="234884" SVKey="234884r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one numeric character."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020160" disa="195" severity="medium"> +- <VMSinfo VKey="234885" SVKey="234885r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed."/> +- </overlay> +- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="SLES-15-020170" disa="196" severity="medium"> +- <VMSinfo VKey="234886" SVKey="234886r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_all_shadowed_sha512" ownerid="SLES-15-020180" disa="803" severity="medium"> +- <VMSinfo VKey="234887" SVKey="234887r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020190" disa="803" severity="medium"> +- <VMSinfo VKey="234888" SVKey="234888r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020200" disa="198" severity="medium"> +- <VMSinfo VKey="234889" SVKey="234889r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day)."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020210" disa="198" severity="medium"> +- <VMSinfo VKey="234890" SVKey="234890r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day)."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="SLES-15-020220" disa="199" severity="medium"> +- <VMSinfo VKey="234891" SVKey="234891r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="SLES-15-020230" disa="199" severity="medium"> +- <VMSinfo VKey="234892" SVKey="234892r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ user passwords with a maximum lifetime of 60 days."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_etc_security_opasswd" ownerid="SLES-15-020240" disa="200" severity="medium"> +- <VMSinfo VKey="234893" SVKey="234893r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ a password history file."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020250" disa="200" severity="medium"> +- <VMSinfo VKey="234894" SVKey="234894r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not allow passwords to be reused for a minimum of five generations."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_minlen" ownerid="SLES-15-020260" disa="205" severity="medium"> +- <VMSinfo VKey="234895" SVKey="234895r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must employ passwords with a minimum of 15 characters."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_ocredit" ownerid="SLES-15-020270" disa="1619" severity="medium"> +- <VMSinfo VKey="234896" SVKey="234896r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must enforce passwords that contain at least one special character."/> +- </overlay> +- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_retry" ownerid="SLES-15-020290" disa="366" severity="medium"> +- <VMSinfo VKey="234897" SVKey="234897r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must prevent the use of dictionary words for passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="SLES-15-020300" disa="366" severity="high"> +- <VMSinfo VKey="234898" SVKey="234898r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not be configured to allow blank or null passwords."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="SLES-15-030000" disa="1686" severity="medium"> +- <VMSinfo VKey="234899" SVKey="234899r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="SLES-15-030010" disa="172" severity="medium"> +- <VMSinfo VKey="234900" SVKey="234900r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="SLES-15-030020" disa="2132" severity="medium"> +- <VMSinfo VKey="234901" SVKey="234901r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="SLES-15-030030" disa="1403" severity="medium"> +- <VMSinfo VKey="234902" SVKey="234902r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="SLES-15-030040" disa="2130" severity="medium"> +- <VMSinfo VKey="234903" SVKey="234903r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="SLES-15-030050" disa="2884" severity="medium"> +- <VMSinfo VKey="234904" SVKey="234904r6221" VRelease="r622137"/> +- <title text="SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="SLES-15-030060" disa="2884" severity="low"> +- <VMSinfo VKey="234905" SVKey="234905r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the ssh-keysign command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="SLES-15-030070" disa="2884" severity="medium"> +- <VMSinfo VKey="234906" SVKey="234906r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the passwd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="SLES-15-030080" disa="2884" severity="low"> +- <VMSinfo VKey="234907" SVKey="234907r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the gpasswd command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="SLES-15-030090" disa="2884" severity="low"> +- <VMSinfo VKey="234908" SVKey="234908r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the newgrp command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="SLES-15-030100" disa="2884" severity="low"> +- <VMSinfo VKey="234909" SVKey="234909r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for a uses of the chsh command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030110" disa="2884" severity="medium"> +- <VMSinfo VKey="234910" SVKey="234910r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="SLES-15-030120" disa="2884" severity="medium"> +- <VMSinfo VKey="234911" SVKey="234911r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chage command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="SLES-15-030130" disa="2884" severity="medium"> +- <VMSinfo VKey="234912" SVKey="234912r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the crontab command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030140" disa="2884" severity="medium"> +- <VMSinfo VKey="234913" SVKey="234913r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030150" disa="2884" severity="medium"> +- <VMSinfo VKey="234914" SVKey="234914r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the open system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030160" disa="2884" severity="medium"> +- <VMSinfo VKey="234915" SVKey="234915r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the creat system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030170" disa="2884" severity="medium"> +- <VMSinfo VKey="234916" SVKey="234916r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the openat system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030180" disa="2884" severity="medium"> +- <VMSinfo VKey="234917" SVKey="234917r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the open_by_handle_at system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030190" disa="2884" severity="medium"> +- <VMSinfo VKey="234918" SVKey="234918r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the removexattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030200" disa="2884" severity="medium"> +- <VMSinfo VKey="234919" SVKey="234919r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the lremovexattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030210" disa="2884" severity="medium"> +- <VMSinfo VKey="234920" SVKey="234920r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fremovexattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030220" disa="2884" severity="medium"> +- <VMSinfo VKey="234921" SVKey="234921r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the setxattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030230" disa="2884" severity="medium"> +- <VMSinfo VKey="234922" SVKey="234922r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fsetxattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030240" disa="2884" severity="medium"> +- <VMSinfo VKey="234923" SVKey="234923r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the lsetxattr system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030250" disa="2884" severity="medium"> +- <VMSinfo VKey="234924" SVKey="234924r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chown system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030260" disa="2884" severity="medium"> +- <VMSinfo VKey="234925" SVKey="234925r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchown system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030270" disa="2884" severity="medium"> +- <VMSinfo VKey="234926" SVKey="234926r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the lchown system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030280" disa="2884" severity="medium"> +- <VMSinfo VKey="234927" SVKey="234927r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchownat system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030290" disa="2884" severity="medium"> +- <VMSinfo VKey="234928" SVKey="234928r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chmod system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030300" disa="2884" severity="medium"> +- <VMSinfo VKey="234929" SVKey="234929r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchmod system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030310" disa="2884" severity="medium"> +- <VMSinfo VKey="234930" SVKey="234930r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the fchmodat system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030320" disa="2884" severity="medium"> +- <VMSinfo VKey="234931" SVKey="234931r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the ftruncate system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030330" disa="2884" severity="medium"> +- <VMSinfo VKey="234932" SVKey="234932r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the sudoedit command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chfn" ownerid="SLES-15-030340" disa="2884" severity="low"> +- <VMSinfo VKey="234933" SVKey="234933r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chfn command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030350" disa="2884" severity="low"> +- <VMSinfo VKey="234934" SVKey="234934r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the mount system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030360" disa="2884" severity="low"> +- <VMSinfo VKey="234935" SVKey="234935r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the umount system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_agent" ownerid="SLES-15-030370" disa="2884" severity="low"> +- <VMSinfo VKey="234936" SVKey="234936r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the ssh-agent command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030380" disa="2884" severity="medium"> +- <VMSinfo VKey="234937" SVKey="234937r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the insmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030390" disa="2884" severity="medium"> +- <VMSinfo VKey="234938" SVKey="234938r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the rmmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030400" disa="2884" severity="medium"> +- <VMSinfo VKey="234939" SVKey="234939r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the modprobe command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_kmod" ownerid="SLES-15-030410" disa="2884" severity="medium"> +- <VMSinfo VKey="234940" SVKey="234940r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the kmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="SLES-15-030420" disa="2884" severity="medium"> +- <VMSinfo VKey="234941" SVKey="234941r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chmod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_setfacl" ownerid="SLES-15-030430" disa="2884" severity="medium"> +- <VMSinfo VKey="234942" SVKey="234942r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the setfacl command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_chacl" ownerid="SLES-15-030440" disa="2884" severity="medium"> +- <VMSinfo VKey="234943" SVKey="234943r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chacl command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030450" disa="2884" severity="medium"> +- <VMSinfo VKey="234944" SVKey="234944r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the chcon command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_execution_rm" ownerid="SLES-15-030460" disa="2884" severity="medium"> +- <VMSinfo VKey="234945" SVKey="234945r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the rm command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_tallylog" ownerid="SLES-15-030470" disa="2884" severity="medium"> +- <VMSinfo VKey="234946" SVKey="234946r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="SLES-15-030480" disa="2884" severity="medium"> +- <VMSinfo VKey="234947" SVKey="234947r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all modifications to the lastlog file."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passmass" ownerid="SLES-15-030490" disa="2884" severity="medium"> +- <VMSinfo VKey="234948" SVKey="234948r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the passmass command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_usermod" ownerid="SLES-15-030500" disa="2884" severity="medium"> +- <VMSinfo VKey="234949" SVKey="234949r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the usermod command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="SLES-15-030510" disa="2884" severity="medium"> +- <VMSinfo VKey="234950" SVKey="234950r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030520" disa="2884" severity="medium"> +- <VMSinfo VKey="234951" SVKey="234951r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the delete_module system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030530" disa="2884" severity="medium"> +- <VMSinfo VKey="234952" SVKey="234952r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the finit_module system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030540" disa="2884" severity="medium"> +- <VMSinfo VKey="234953" SVKey="234953r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the init_module system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="SLES-15-030550" disa="2884" severity="medium"> +- <VMSinfo VKey="234954" SVKey="234954r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the su command."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030560" disa="2884" severity="low"> +- <VMSinfo VKey="234955" SVKey="234955r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the sudo command."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="SLES-15-030570" disa="139" severity="medium"> +- <VMSinfo VKey="234956" SVKey="234956r6221" VRelease="r622137"/> +- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event."/> +- </overlay> +- <overlay owner="disastig" ruleid="postfix_client_configure_mail_alias" ownerid="SLES-15-030580" disa="139" severity="medium"> +- <VMSinfo VKey="234957" SVKey="234957r6221" VRelease="r622137"/> +- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_disk_full_action" ownerid="SLES-15-030590" disa="140" severity="medium"> +- <VMSinfo VKey="234958" SVKey="234958r6221" VRelease="r622137"/> +- <title text="The SUSE operating system audit system must take appropriate action when the audit storage volume is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="permissions_local_var_log_audit" ownerid="SLES-15-030600" disa="164" severity="medium"> +- <VMSinfo VKey="234959" SVKey="234959r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must protect audit rules from unauthorized modification."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="SLES-15-030610" disa="172" severity="medium"> +- <VMSinfo VKey="234960" SVKey="234960r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the truncate command."/> +- </overlay> +- <overlay owner="disastig" ruleid="permissions_local_audit_binaries" ownerid="SLES-15-030620" disa="1495" severity="medium"> +- <VMSinfo VKey="234961" SVKey="234961r6221" VRelease="r622137"/> +- <title text="The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_check_audit_tools" ownerid="SLES-15-030630" disa="1496" severity="medium"> +- <VMSinfo VKey="234962" SVKey="234962r6221" VRelease="r622137"/> +- <title text="The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools."/> +- </overlay> +- <overlay owner="disastig" ruleid="audit_rules_suid_privilege_function" ownerid="SLES-15-030640" disa="1875" severity="low"> +- <VMSinfo VKey="234963" SVKey="234963r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the privileged functions."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_audit_installed" ownerid="SLES-15-030650" disa="1878" severity="medium"> +- <VMSinfo VKey="234964" SVKey="234964r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must have the auditing package installed."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="SLES-15-030660" disa="1849" severity="medium"> +- <VMSinfo VKey="234965" SVKey="234965r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility."/> +- </overlay> +- <overlay owner="disastig" ruleid="package_audit-audispd-plugins_installed" ownerid="SLES-15-030670" disa="1851" severity="medium"> +- <VMSinfo VKey="234966" SVKey="234966r6221" VRelease="r622137"/> +- <title text="The audit-audispd-plugins must be installed on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="SLES-15-030680" disa="1851" severity="low"> +- <VMSinfo VKey="234967" SVKey="234967r6221" VRelease="r622137"/> +- <title text="The SUSE operating system audit event multiplexor must be configured to use Kerberos."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="SLES-15-030690" disa="1851" severity="low"> +- <VMSinfo VKey="234968" SVKey="234968r6221" VRelease="r622137"/> +- <title text="Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="SLES-15-030700" disa="1855" severity="medium"> +- <VMSinfo VKey="234969" SVKey="234969r6221" VRelease="r622137"/> +- <title text="The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030710" disa="172" severity="medium"> +- <VMSinfo VKey="234970" SVKey="234970r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the rename system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030720" disa="172" severity="medium"> +- <VMSinfo VKey="234971" SVKey="234971r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the renameat system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030730" disa="172" severity="medium"> +- <VMSinfo VKey="234972" SVKey="234972r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the renameat2 system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030740" disa="172" severity="medium"> +- <VMSinfo VKey="234973" SVKey="234973r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the unlink system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030750" disa="172" severity="medium"> +- <VMSinfo VKey="234974" SVKey="234974r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for all uses of the unlinkat system call."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030760" disa="172" severity="medium"> +- <VMSinfo VKey="234975" SVKey="234975r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for the /run/utmp file."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030770" disa="172" severity="medium"> +- <VMSinfo VKey="234976" SVKey="234976r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for the /var/log/wtmp file."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030780" disa="172" severity="medium"> +- <VMSinfo VKey="234977" SVKey="234977r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must generate audit records for the /var/log/btmp file."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="SLES-15-030790" disa="1851" severity="medium"> +- <VMSinfo VKey="234978" SVKey="234978r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must off-load audit records onto a different system or media from the system being audited."/> +- </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="SLES-15-030800" disa="1851" severity="medium"> +- <VMSinfo VKey="234979" SVKey="234979r6221" VRelease="r622137"/> +- <title text="Audispd must take appropriate action when the SUSE operating system audit storage is full."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="SLES-15-030810" disa="366" severity="low"> +- <VMSinfo VKey="234980" SVKey="234980r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must use a separate file system for the system audit data path."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-030820" disa="366" severity="medium"> +- <VMSinfo VKey="234981" SVKey="234981r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not disable syscall auditing."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faildelay_delay" ownerid="SLES-15-040000" disa="366" severity="medium"> +- <VMSinfo VKey="234982" SVKey="234982r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-040010" disa="366" severity="medium"> +- <VMSinfo VKey="234983" SVKey="234983r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="SLES-15-040020" disa="366" severity="high"> +- <VMSinfo VKey="234984" SVKey="234984r6221" VRelease="r622137"/> +- <title text="There must be no .shosts files on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="SLES-15-040030" disa="366" severity="high"> +- <VMSinfo VKey="234985" SVKey="234985r6221" VRelease="r622137"/> +- <title text="There must be no shosts.equiv files on the SUSE operating system."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="SLES-15-040040" disa="366" severity="low"> +- <VMSinfo VKey="234986" SVKey="234986r6221" VRelease="r622137"/> +- <title text="The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs)."/> +- </overlay> +- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="SLES-15-040050" disa="366" severity="low"> +- <VMSinfo VKey="234987" SVKey="234987r6221" VRelease="r622137"/> +- <title text="The SUSE operating system file integrity tool must be configured to verify extended attributes."/> +- </overlay> +- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="SLES-15-040060" disa="366" severity="high"> +- <VMSinfo VKey="234988" SVKey="234988r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040061" disa="366" severity="high"> +- <VMSinfo VKey="234989" SVKey="234989r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040062" disa="366" severity="high"> +- <VMSinfo VKey="234990" SVKey="234990r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_defined" ownerid="SLES-15-040070" disa="366" severity="medium"> +- <VMSinfo VKey="234991" SVKey="234991r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="SLES-15-040080" disa="366" severity="medium"> +- <VMSinfo VKey="234992" SVKey="234992r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="SLES-15-040090" disa="366" severity="medium"> +- <VMSinfo VKey="234993" SVKey="234993r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local interactive user home directories must have mode 0750 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040100" disa="366" severity="medium"> +- <VMSinfo VKey="234994" SVKey="234994r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="SLES-15-040110" disa="366" severity="medium"> +- <VMSinfo VKey="234995" SVKey="234995r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local initialization files must have mode 0740 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="SLES-15-040120" disa="366" severity="medium"> +- <VMSinfo VKey="234996" SVKey="234996r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="SLES-15-040130" disa="366" severity="medium"> +- <VMSinfo VKey="234997" SVKey="234997r6221" VRelease="r622137"/> +- <title text="All SUSE operating system local initialization files must not execute world-writable programs."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="SLES-15-040140" disa="366" severity="medium"> +- <VMSinfo VKey="234998" SVKey="234998r6221" VRelease="r622137"/> +- <title text="SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="SLES-15-040150" disa="366" severity="medium"> +- <VMSinfo VKey="234999" SVKey="234999r6221" VRelease="r622137"/> +- <title text="SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="SLES-15-040160" disa="366" severity="medium"> +- <VMSinfo VKey="235000" SVKey="235000r6221" VRelease="r622137"/> +- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="SLES-15-040170" disa="366" severity="medium"> +- <VMSinfo VKey="235001" SVKey="235001r6221" VRelease="r622137"/> +- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed."/> +- </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="SLES-15-040180" disa="366" severity="medium"> +- <VMSinfo VKey="235002" SVKey="235002r6221" VRelease="r622137"/> +- <title text="All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group."/> +- </overlay> +- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="SLES-15-040190" disa="366" severity="medium"> +- <VMSinfo VKey="235003" SVKey="235003r6221" VRelease="r622137"/> +- <title text="SUSE operating system kernel core dumps must be disabled unless needed."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_home" ownerid="SLES-15-040200" disa="366" severity="low"> +- <VMSinfo VKey="235004" SVKey="235004r6221" VRelease="r622137"/> +- <title text="A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent)."/> +- </overlay> +- <overlay owner="disastig" ruleid="partition_for_var" ownerid="SLES-15-040210" disa="366" severity="low"> +- <VMSinfo VKey="235005" SVKey="235005r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must use a separate file system for /var."/> +- </overlay> +- <overlay owner="disastig" ruleid="pam_disable_automatic_configuration" ownerid="SLES-15-040220" disa="366" severity="medium"> +- <VMSinfo VKey="235006" SVKey="235006r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="SLES-15-040230" disa="366" severity="medium"> +- <VMSinfo VKey="235007" SVKey="235007r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="SLES-15-040240" disa="366" severity="medium"> +- <VMSinfo VKey="235008" SVKey="235008r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="SLES-15-040250" disa="366" severity="medium"> +- <VMSinfo VKey="235009" SVKey="235009r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="SLES-15-040260" disa="366" severity="medium"> +- <VMSinfo VKey="235010" SVKey="235010r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="SLES-15-040270" disa="366" severity="medium"> +- <VMSinfo VKey="235011" SVKey="235011r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must use privilege separation."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="SLES-15-040280" disa="366" severity="medium"> +- <VMSinfo VKey="235012" SVKey="235012r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040290" disa="366" severity="medium"> +- <VMSinfo VKey="235013" SVKey="235013r6221" VRelease="r622137"/> +- <title text="The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="SLES-15-040300" disa="366" severity="medium"> +- <VMSinfo VKey="235014" SVKey="235014r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="SLES-15-040310" disa="366" severity="medium"> +- <VMSinfo VKey="235015" SVKey="235015r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="SLES-15-040320" disa="366" severity="medium"> +- <VMSinfo VKey="235016" SVKey="235016r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040321" disa="366" severity="medium"> +- <VMSinfo VKey="235017" SVKey="235017r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="SLES-15-040330" disa="366" severity="medium"> +- <VMSinfo VKey="235018" SVKey="235018r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="SLES-15-040340" disa="366" severity="medium"> +- <VMSinfo VKey="235019" SVKey="235019r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040341" disa="366" severity="medium"> +- <VMSinfo VKey="235020" SVKey="235020r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_source_route" ownerid="SLES-15-040350" disa="366" severity="medium"> +- <VMSinfo VKey="235021" SVKey="235021r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="SLES-15-040360" disa="366" severity="medium"> +- <VMSinfo VKey="235022" SVKey="235022r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/> +- </overlay> +- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="SLES-15-040370" disa="366" severity="medium"> +- <VMSinfo VKey="235023" SVKey="235023r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040380" disa="366" severity="medium"> +- <VMSinfo VKey="235024" SVKey="235024r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040381" disa="366" severity="medium"> +- <VMSinfo VKey="235025" SVKey="235025r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040382" disa="366" severity="medium"> +- <VMSinfo VKey="235026" SVKey="235026r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router."/> +- </overlay> +- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="SLES-15-040390" disa="366" severity="medium"> +- <VMSinfo VKey="235027" SVKey="235027r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented."/> +- </overlay> +- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="SLES-15-040400" disa="1230" severity="medium"> +- <VMSinfo VKey="235028" SVKey="235028r6221" VRelease="r622137"/> +- <title text="All SUSE operating system files and directories must have a valid owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="SLES-15-040410" disa="1230" severity="medium"> +- <VMSinfo VKey="235029" SVKey="235029r6221" VRelease="r622137"/> +- <title text="All SUSE operating system files and directories must have a valid group owner."/> +- </overlay> +- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="SLES-15-040420" disa="366" severity="medium"> +- <VMSinfo VKey="235030" SVKey="235030r6221" VRelease="r622137"/> +- <title text="The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-040430" disa="366" severity="high"> +- <VMSinfo VKey="235031" SVKey="235031r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI)."/> +- </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-040440" disa="366" severity="high"> +- <VMSinfo VKey="235032" SVKey="235032r6221" VRelease="r622137"/> +- <title text="The SUSE operating system must not allow unattended or automatic logon via SSH."/> +- </overlay> +-</overlays> +diff --git a/products/vsel/overlays/stig_overlay.xml b/products/vsel/overlays/stig_overlay.xml +deleted file mode 100644 +index 0f94e305d86..00000000000 +--- a/products/vsel/overlays/stig_overlay.xml ++++ /dev/null +@@ -1,159 +0,0 @@ +-<?xml version="1.0"?> +-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> +- <overlay owner="disastig" ruleid="web_client_disabled" ownerid="DTAVSEL-000" disa="1813" severity="medium"> +- <VMSinfo VKey="62791" SVKey="77281" VRelease="1" /> +- <title>The McAfee VirusScan Enterprise for Linux Web interface must be disabled unless the system is on a segregated network. +- +- +- +- The anti-virus signature file age must not exceed 7 days. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when programs and jokes are found. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when programs and jokes are found. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if an error occurs during scanning. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed. +- +- +- +- The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use. +- +- +- +- The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source. +- +- +- +- The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role. +- +- +- +- SMTP email notification must be enabled to ensure administrators are notified of out of date DAT, detected malware and error codes. +- +- +- +- Access to the McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be enforced by firewall rules. +- +- +\ No newline at end of file + +From c0f58c6c4be7e62795e5b6ef39d6ecf0e92abf9e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 18:07:38 +0200 +Subject: [PATCH 06/10] Update DISA STIG Firefox manual benchmark file. + +--- + .../disa-stig-firefox-v4r11-xccdf-manual.xml | 159 ------------------ + .../disa-stig-firefox-v5r1-xccdf-manual.xml | 120 +++++++++++++ + 2 files changed, 120 insertions(+), 159 deletions(-) + delete mode 100644 shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml + create mode 100644 shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml + +diff --git a/shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml b/shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml +deleted file mode 100644 +index ed93f12474b..00000000000 +--- a/shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml ++++ /dev/null +@@ -1,159 +0,0 @@ +-acceptedMozilla FirefoxDISA, Field Security OperationsSTIG.DOD.MILRelease: 11 Benchmark Date: 24 Apr 20154I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>DTBG010-DoD Root Certificate is not installed<GroupDescription></GroupDescription>DTBG010 - FireFoxThe DOD Root Certificate is not installed.<VulnDiscussion>The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Install the DOD root certificate.Procedure: Use the Tools/Options/Advanced/Encryption dialog. On the Select the View Certificates button. On the Certificate Manager window, select the Authorities tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entry for the DoD Root CA 2. +-If there is an entry for the DoD Root CA 2, select the entry and then the View button. On the Certificate Viewer window, determine the value of the MD5 Fingerprint field. +- +-Criteria: +-If there is no entry for the DoD Root CA 2, then this is a Finding. +- +-If the value of the MD5 Fingerprint field of the DoD Root CA 2 certificate is not: +-47:78:92:DB:8A:EC:1B:53:68:F0:1D:00:9C:34:77:5E, +-then this is a Finding. +- +-If the value of the SHA1 Fingerprint field of the DoD Root CA 2 certificate is not: +-8C:94:1B:34:EA:1E:A6:ED:9A:E2:BC:54:CF:68:72:52:B4:C9:B5:61, then this is a Finding.DTBF020 - FireFox Preferences–Use of SSL Version 3<GroupDescription></GroupDescription>DTBF020Firefox is configured to allow use of SSL 3.0.<VulnDiscussion>DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. Firefox has this set to on by default but this is not apparent in the GUI options screen.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Set the preference "security.enable_ssl3" to "true" or “false” and lock using the Mozilla.cfg file.Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl3" and set the value to "true" or “false” and locked. +- +-Criteria: If the value of "security.enable_ssl3" is "true" or “false”, this is not a finding. If the value is locked, this is not a finding.DTBF050 - FireFox Preferences – Verification<GroupDescription></GroupDescription>DTBF050FireFox is configured to ask which certificate to present to a web site when a certificate is required.<VulnDiscussion>When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Set the value of "security.default_personal_cert" to "Ask Every Time". Use the Mozilla.cfg file to lock the preference so users cannot change it. +- +-Type "about:config" in the browser address bar. Verify Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering. +- +-Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding. +-DTBF100 -FireFox Preferences–auto-download actions<GroupDescription></GroupDescription>DTBF100Firefox automatically executes or downloads MIME types which are not authorized for auto-download.<VulnDiscussion>The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar. +- +-When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below. +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCMC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Remove any unauthorized extensions from the autodownload list. Use Method 1 or 2 to check if the following extensions are listed in the browser configuration: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. By default, most of these extensions will not show up on the Firefox listing. +- +-Criteria: +- +-Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column. +- +-If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension. If the extension is associated with an unauthorized application, then this is a finding. +- +-If the extension exists but is not associated with an application, then this is a finding. +- +-Method 2: +-Use the Options User Interface Applications menu to search for the prohibited extensions in the Content column of the table. +- +-If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding. +- +-If the entry exists and the "Action" is 'Save File' or 'Always Ask', then this is not a finding. +- +-If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding. +-DTBF105 - FireFox Preferences – Shell Protocol<GroupDescription></GroupDescription>DTBF105Network shell protocol is enabled in FireFox.<VulnDiscussion>Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the +-underlying system. This check verifies that the default setting has not been changed. +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Procedure: Set the value of "network.protocol-handler.external.shell" to "false" and lock using the Mozilla.cfg file.Procedure: Open a browser window, type "about:config" in the address bar. +- +-Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding. DTBF110 - FireFox Preferences – Open Confirmation<GroupDescription></GroupDescription>DTBF110Firefox not configured to prompt user before download and opening for required file types.<VulnDiscussion>New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files. Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application rather than an add-on or plugin will not be used. (PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP)Open a browser window, type "about:config" in the address bar. +- +-Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, then this is a finding: +- +-PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.DTBF120 - FireFox Preferences – ActiveX controls<GroupDescription></GroupDescription>DTBF120FireFox plug-in for ActiveX controls is installed.<VulnDiscussion>When an ActiveX control is referenced in an HTML document, MS Windows checks to see if +-the control already resides on the client machine. If not, the control can be downloaded from a +-remote web site. This provides an automated delivery method for mobile code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Remove/uninstall the Mozilla ActiveX plugin Open a browser window, type "about:plugins" in the address bar. +- +-Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding. +-DTBF140 - FireFox Preferences – Autofill forms<GroupDescription></GroupDescription>DTBF140Firefox formfill assistance option is disabled.<VulnDiscussion>In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference “browser.formfill.enable" is set and locked to the value of “False”.Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF150 - FireFox Preferences – Autofill passwords<GroupDescription></GroupDescription>DTBF150Firefox is configured to autofill passwords.<VulnDiscussion>While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference " signon.prefillForms " is set and locked to the value of “False”.In About:Config, verify that the preference name “signon.prefillForms“ is set to “false” and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF160 - FireFox Preferences – Password store<GroupDescription></GroupDescription>DTBF160FireFox is configured to use a password store with or without a master password.<VulnDiscussion>Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205 Ensure the preference "“signon.rememberSignons“ is set and locked to the value of “false”.Type "About:Config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF170 - FireFox Preferences – Cookies<GroupDescription></GroupDescription>DTBF170Firefox does not clear cookies upon closing.<VulnDiscussion>Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "privacy.sanitize.sanitizeOnShutdown" is set and locked to the value of “true”. Also ensure the preference “privacy.sanitize.promptOnSanitize” is set and locked to “false” Type "about:config" in the address bar of the browser. Verify that the preference “privacy.sanitize.sanitizeOnShutdown" is set to “true”. Also “privacy.sanitize.promptOnSanitize” must be set to “false” to prevent users from circumventing the deleting of cookies. Both settings must also be locked to prevent user changes. +- +-Criteria: If the parameter for either of the two sanitize preferences is set incorrectly, then this is a finding. If the settings are not locked, then this is a finding.DTBF180 - Pop-up windows<GroupDescription></GroupDescription>DTBF180FireFox is not configured to block pop-up windows.<VulnDiscussion>Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "dom.disable_window_open_feature.status " is set and locked to the value of “true”.In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF181 - JavaScript move or resize windows<GroupDescription></GroupDescription>DTBF181FireFox is configured to allow JavaScript to move or resize windows. +-<VulnDiscussion>JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "dom.disable_window_move_resize" is set and locked to the value of “true”.In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF010 - Firefox Preferences - SSL 2.0 Protocol<GroupDescription></GroupDescription>DTBF010The Firefox SSLV2 parameter is configured to allow use of SSL 2.0.<VulnDiscussion>Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs. SSL 2.0 setting does not appear in the Options dialog and must be disabled using About:Config.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Set the preference "security.enable_ssl2" is set to "false" and lock using the Mozilla.cfg file. +- +-Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl2" and verify the value is set to "false". +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the value is not locked this is a finding. +-DTBF030 - Firefox Preferences – SSL Protocols TLS<GroupDescription></GroupDescription>DTBF030Firefox is not configured to allow use of TLS 1.0.<VulnDiscussion>DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference value of "security.enable_tls" is set to "true" and locked. +-Open a browser window, type "about:config" in the address bar. Verify Preference Name "security.enable_tls" is set to the value "true" and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF182 - JavaScript raise or lower windows<GroupDescription></GroupDescription>DTBF182Firefox is configured to allow JavaScript to raise or lower windows.<VulnDiscussion>JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript. +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "dom.disable_window_flip" is set and locked to the value of “true”.In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.DTBF183 - JavaScript Context Menus<GroupDescription></GroupDescription>DTBF183Firefox is configured to allow JavaScript to disable or replace context menus.<VulnDiscussion>A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".Type "about:config" in the address bar of the browser. Verify that the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true". +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.DTBF183Firefox is must be configured to prevent JavaScript from disable or replace context menus.<VulnDiscussion>A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".Type "about:config" in the address bar of the browser. Verify that the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true". +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.DTBF184 - JavaScript hiding or changing status bar<GroupDescription></GroupDescription>DTBF184Firefox is configured to allow JavaScript to hide or change the status bar.<VulnDiscussion>When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "dom.disable_window_status_change" is set and locked to the value of “true”.Type "about:config" in the address bar of the browser. Verify that the preference “dom.disable_window_status_change" is set and locked to “true”. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.DTBF185 -JavaScript can change the status bar text<GroupDescription></GroupDescription>DTBF185Firefox is configured to allow JavaScript to change the status bar text.<VulnDiscussion>JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. Setting these preferences to true will override the author's settings and ensure that the feature is enabled and present in any popup window. This setting prevents the status bar from being hidden.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "dom.disable_window_open_feature.status" is set and locked to the value of “true”.In About:Config, verify that the preference “dom.disable_window_open_feature.status" is set and locked to “true”. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF130 - Non-secure Page Warning<GroupDescription></GroupDescription>DTBF130Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page.<VulnDiscussion>Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference “security.warn_leaving_secure" is set to “true” and locked on this setting.Type "about:config" in the browser window. Verify that the preference name “security.warn_leaving_secure" is set to “true” and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF017 - Home Page<GroupDescription></GroupDescription>DTBF017The Firefox browser home page is not set to blank or a trusted site.<VulnDiscussion>The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of script added to a previously safe site.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "browser.startup.homepage" is set and locked to blank or the URL for a .mil or other trusted website.Type "about:config" in the address bar of the browser. Verify that the preference "browser.startup.homepage" is set and locked to blank or an authorized and trusted website such as "https://www.us.army.mil/suite/page/429668" +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +-DTBF003 - Installed version of FireFox not supported<GroupDescription></GroupDescription>DTBF003Installed version of Firefox unsupported.<VulnDiscussion>Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCMC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source. Method 1: View the following registry key: +-HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion +- +-Method 2: Search for the firefox.exe file using the search feature of the operating system. Examine the files properties for the product version (not the file version. For Windows OS, determine the version of the file by examining navigating to Properties/Version/Product Version. Examine for all instances of firefox.exe that are present on the endpoint. +- +-Criteria: If the version number of the firefox.exe file is less than 3.x.x, then this is a Finding. +- +-DTBF080-Firefox Preferences–Auto-update of Firefox<GroupDescription></GroupDescription>DTBF080Firefox application is set to auto-update.<VulnDiscussion>Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "app.update.enable" is set and locked to the value of “False” or that a trusted server is used. Type "about:config" in the browser window. Verify that +- +-1. The preference name "app.update.enabled" is set to 'false' and locked or +- +-2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org). +- +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding. +-DTBF090-Firefox Preferences-Addons\ plugin updates<GroupDescription></GroupDescription>DTBF090Firefox automatically updates installed add-ons and plugins.<VulnDiscussion>Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file. +-Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding. +-DTBF090Firefox automatically updates installed add-ons and plugins.<VulnDiscussion>Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file. +-Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding. +-DTBF070 - Firefox Preferences - Lock settings<GroupDescription></GroupDescription>DTBF070Firefox required security preferences cannot be changed by user.<VulnDiscussion>Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.js</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the required settings In "About:config" are locked using the Mozilla.cfg file. Verify that required settings are marked as locked in about:config. Verify that mozilla.cfg file is used to lock required security settings. +- +-For instructions and a tool for reading the bitshifted file go to http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi +- +-Sample file: +-// +-lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668"); +-lockPref("browser.download.dir", "N:"); +-lockPref("browser.download.downloadDir", "N:"); +-lockPref("app.update.enabled", false); +-lockPref("extensions.update.enabled", false); +-lockPref("browser.shell.checkDefaultBrowser", false); +-lockPref("browser.search.update", false); +-lockPref("browser.formfill.enable", false); +-lockPref("signon.prefillForms", false); +-lockPref("dom.disable_open_during_load", true); +-lockPref("dom.disable_window_move_resize", true); +-lockPref("dom.event.contextmenu.enabled", false); +-lockPref("dom.disable_window_status_change", true); +-lockPref("dom.disable_window_flip", true); +-lockPref("dom.disable_window_open_feature.status", true); +-lockPref("security.warn_leaving_secure", true); +-lockPref("privacy.sanitize.promptOnSanitize", false); +-lockPref("privacy.sanitize.sanitizeOnShutdown", true); +-lockPref("security.default_personal_cert", "Ask Every Time"); +-lockPref("signon.rememberSignons", false); +-lockPref("xpinstall.whitelist.required", true); +-lockPref(“network.protocol-handler.external.shell”,false); +-lockPref(“security.enable_ssl3”,true); +-lockPref(“security.enable_ssl2”,false); +-lockPref(“security.enable_tls”,true); +-lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks"); +-lockPref("privacy.item.history", false) +- +-Note: Append line into local-settings.js file to include in the Mozilla config file +-DTBF085 - Firefox Preferences –Search update <GroupDescription></GroupDescription>DTBF085Firefox automatically checks for updated version of installed Search plugins.<VulnDiscussion>Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target FirefoxDISA FSODPMS TargetFirefox205Ensure the preference "browser.search.update" is set and locked to the value of “False”.Type "about:config" in the browser window. Verify the preference "browser.search.update” is set to "false" and locked. +- +-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding. +- +\ No newline at end of file +diff --git a/shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml b/shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml +new file mode 100644 +index 00000000000..f0a8e661782 +--- /dev/null ++++ b/shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml +@@ -0,0 +1,120 @@ ++acceptedMozilla Firefox Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 22 Jan 20213.2.1.416661.10.05I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- I - Mission Critial Public +- <ProfileDescription></ProfileDescription> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- II - Mission Support Classified +- <ProfileDescription></ProfileDescription> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- II - Mission Support Sensitive +- <ProfileDescription></ProfileDescription> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- III - Administrative Public +- <ProfileDescription></ProfileDescription> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- DTBC0001 - Disable firewall traversal +- <GroupDescription></GroupDescription> +- +- DTBC-0001 +- Firewall traversal from remote host must be disabled. +- <VulnDiscussion>Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options +- Policy Name: Enable firewall traversal from remote access host +- Policy State: Disabled +- Policy Value: false +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows registry: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0003 - Block desktop notifications +- <GroupDescription></GroupDescription> +- +- DTBC-0003 +- Sites ability for showing desktop notifications must be disabled. +- <VulnDiscussion>Chrome by default allows websites to display notifications on the desktop. This check allows you to set whether or not this is permitted. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it. +- 1 = Allow sites to show desktop notifications +- 2 = Do not allow any site to show desktop notifications +- 3 = Ask every time a site wants to show desktop notifications +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ +- Policy Name: Default notification setting +- Policy State: Enabled +- Policy Value: Do not allow any site to show desktop notifications +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DefaultNotificationsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DefaultNotificationsSetting value name does not exist or its value data is not set to 2, then this is a finding. +- +- +- +- +- +- DTBC0004 - Disable pop-ups +- <GroupDescription></GroupDescription> +- +- DTBC-0004 +- Sites ability to show pop-ups must be disabled. +- <VulnDiscussion>Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. +- 1 = Allow all sites to show pop-ups +- 2 = Do not allow any site to show pop-ups +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ +- Policy Name: Default popups setting +- Policy State: Enabled +- Policy Value: Do not allow any site to show popups +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding. +- +- +- +- +- +- DTBC0002 - Disallow Location Tracking +- <GroupDescription></GroupDescription> +- +- DTBC-0002 +- Site tracking users location must be disabled. +- <VulnDiscussion>Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. +- 1 = Allow sites to track the user’s physical location +- 2 = Do not allow any site to track the user’s physical location +- 3 = Ask whenever a site wants to track the user’s physical location +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ +- Policy Name: Default geolocation setting +- Policy State: Enabled +- Policy Value: Do not allow any site to track the users' physical location +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding. +- +- +- +- +- +- DTBC0005 - Blacklist extension installation +- <GroupDescription></GroupDescription> +- +- DTBC-0005 +- Extensions installation must be blacklisted by default. +- <VulnDiscussion>Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ +- Policy Name: Configure extension installation blacklist +- Policy State: Enabled +- Policy Value: * +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist +- 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding. +- +- +- +- +- +- DTBC0006 - Extension whitelist +- <GroupDescription></GroupDescription> +- +- DTBC-0006 +- Extensions that are approved for use must be whitelisted. +- +- <VulnDiscussion>The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ +- Policy Name: Configure extension installation whitelist +- Policy State: Enabled +- Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf +- +-Note: oiigbmnaadbkfbmpbfijlflahbdbdgdf is the extension ID for scriptno(a commonly used Chrome extension) +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist +- 3. If the ExtensionInstallWhitelist key does not exist or is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. +- +- +- +- +- +- DTBC0007 - Default search provider name +- <GroupDescription></GroupDescription> +- +- DTBC-0007 +- The default search providers name must be set. +- <VulnDiscussion>Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ +- Policy Name: Default search provider name +- Policy State: Enabled +- Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding. +- +- +- +- +- +- DTBC0008 - Encrypted searching +- <GroupDescription></GroupDescription> +- +- DTBC-0008 +- The default search provider URL must be set to perform encrypted searches. +- +- <VulnDiscussion>Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ +- Policy Name: Default search provider search URL +- Policy State: Enabled +- Policy Value: must be set to an organization approved encrypted search string +- (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) then this is a finding. +- +- +- +- +- +- DTBC0009 - Default search provider +- <GroupDescription></GroupDescription> +- +- DTBC-0009 +- Default search provider must be enabled. +- <VulnDiscussion>Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ +- Policy Name: Enable the default search provider +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0010 - Disable cleartext passwords +- <GroupDescription></GroupDescription> +- +- DTBC-0010 +- Use of cleartext passwords in the Password Manager must be disabled. +- <VulnDiscussion>Cleartext passwords would allow another individual to see password via shoulder surfing. This policy controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. By not configuring this policy, users can view their stored passwords in clear text in the password manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password manager\ +- Policy Name: Allow users to show passwords in Password Manager +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If PasswordManagerAllowShowPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the PasswordManagerAllowShowPasswords value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0011 - Password Manager +- <GroupDescription></GroupDescription> +- +- DTBC-0011 +- The Password Manager must be disabled. +- <VulnDiscussion>Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\ +- Policy Name: Enable the password manager +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0012 - HTTP Authentication +- <GroupDescription></GroupDescription> +- +- DTBC-0012 +- The HTTP Authentication must be set to negotiate. +- <VulnDiscussion>Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Policies for HTTP Authentication\ +- Policy Name: Supported authentication schemes +- Policy State: Enabled +- Policy Value: negotiate +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If AuthSchemes is not displayed under the Policy Name column or it is not set to negotiate under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome +- 3. If the AuthSchemes value name does not exist or its value data is not set to negotiate, then this is a finding. +- +- +- +- +- +- DTBC0013 - Outdated plugins +- <GroupDescription></GroupDescription> +- +- DTBC-0013 +- The running of outdated plugins must be disabled. +- <VulnDiscussion>Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Allow running plugins that are outdated +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome +- 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0014 - Plugins requiring authorization +- <GroupDescription></GroupDescription> +- +- DTBC-0014 +- Plugins requiring authorization must ask for user permission. +- <VulnDiscussion>Policy allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated will always run. If this setting is disabled or not set, users will be not be asked for permission to run plugins that require authorization. These are plugins that can compromise security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Always runs plugins that require authorization +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If AlwaysAuthorizePlugins is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the AlwaysAuthorizePlugins value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0015 - Third party cookies +- <GroupDescription></GroupDescription> +- +- DTBC-0015 +- Third party cookies must be blocked. +- <VulnDiscussion>Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Block third party cookies +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If BlockThirdPartyCookies is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the BlockThirdPartyCookies value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0017 - Disable background processing +- <GroupDescription></GroupDescription> +- +- DTBC-0017 +- Background processing must be disabled. +- <VulnDiscussion>Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Continue running background apps when Google Chrome is closed +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0019 - 3D Graphics APIs +- <GroupDescription></GroupDescription> +- +- DTBC-0019 +- 3D Graphics APIs must be disabled. +- <VulnDiscussion>Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs. Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Disable support for 3D graphics APIs +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If Disable3DAPIs is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0020 - Google Data Synchronization +- <GroupDescription></GroupDescription> +- +- DTBC-0020 +- Google Data Synchronization must be disabled. +- <VulnDiscussion>Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Disable synchronization of data with Google +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0021 - URL protocol schemas +- <GroupDescription></GroupDescription> +- +- DTBC-0021 +- The URL protocol schema javascript must be disabled. +- <VulnDiscussion>Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols). +-This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome. +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Block access to a list of URLs +- Policy State: Enabled +- Policy Value 1: javascript://* +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist +- 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding. +- +- +- +- +- +- +- DTBC0022 - AutoComplete for forms +- <GroupDescription></GroupDescription> +- +- DTBC-0022 +- AutoFill must be disabled. +- <VulnDiscussion>This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Enable AutoFill +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If AutoFillEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the AutoFillEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0023 - Cloud print sharing +- <GroupDescription></GroupDescription> +- +- DTBC-0023 +- Cloud print sharing must be disabled. +- <VulnDiscussion>Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Enable Google Cloud Print proxy +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0025 - Network prediction +- <GroupDescription></GroupDescription> +- +- DTBC-0025 +- Network prediction must be disabled. +- <VulnDiscussion>Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Enable network prediction +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DnsPrefetchingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DnsPrefetchingEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0026 - Metrics reporting +- <GroupDescription></GroupDescription> +- +- DTBC-0026 +- Metrics reporting to Google must be disabled. +- <VulnDiscussion>Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Enable reporting of usage and crash-related data +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0027 - Search suggestions +- <GroupDescription></GroupDescription> +- +- DTBC-0027 +- Search suggestions must be disabled. +- <VulnDiscussion>Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Enable search suggestions +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0029 - Import of saved passwords +- <GroupDescription></GroupDescription> +- +- DTBC-0029 +- Importing of saved passwords must be disabled. +- <VulnDiscussion>Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Import saved passwords from default browser on first run +- Policy State: Disabled +- Policy Value: False +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- DTBC0030 - Incognito Mode +- <GroupDescription></GroupDescription> +- +- DTBC-0030 +- Incognito mode must be disabled. +- <VulnDiscussion>Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. +- 0 = Incognito mode available. +- 1 = Incognito mode disabled. +- 2 = Incognito mode forced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Incognito mode availability +- Policy State: Enabled +- Policy Value: Incognito mode disabled +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0034 - Plugin blacklist +- <GroupDescription></GroupDescription> +- +- DTBC-0034 +- Plugins must be disabled by default. +- <VulnDiscussion>Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters * and ? can be used to match sequences of arbitrary characters. * matches an arbitrary number of characters while ? specifies an optional single character, i.e. matches zero or one characters. The escape character is \, so to match actual *, ?, or \ characters, you can put a \ in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in about:plugins and users cannot enable them. Note that this policy can be overridden by ‘EnabledPlugins’ and ‘DisabledPluginsExceptions’. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Specify a list of disabled plugins +- Policy State: Enabled +- Policy Value: * +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DisabledPlugins is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledPlugins +- 3. If the DisabledPlugins key does not exist, or the 1 value name does not exist under that key and the value data is not set to * then this is a finding. +- +- +- +- +- +- DTBC0035 - Approved plugins +- <GroupDescription></GroupDescription> +- +- DTBC-0035 +- Plugins approved for use must be enabled. +- <VulnDiscussion>Policy specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them. The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them. Note that this policy overrides both ‘DisabledPlugins ‘and ‘DisabledPluginsExceptions’. If this policy is left not set the user can disable any plugin installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Specify a list of enabled plugins +- Policy State: Enabled +- Policy Value 1: Shockwave Flash +- Policy Value 2: Chrome PDF Viewer +- Policy Value 3: Silverlight +- Policy Value 4: Java* +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If EnabledPlugins is not displayed under the Policy Name column or does not contain a list of administrator approved Plugins under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\EnabledPlugins +- 3. If the EnabledPlugins key does not exist and does not contain a set of administrator approved Plugins then this is a finding. +- +- +-Suggested: the set or subset of Shockwave Flash, Chrome PDF Viewer, Silverlight, Java* +- +- +- +- +- +- +- DTBC0036 - Automatic plugin search and installation +- <GroupDescription></GroupDescription> +- +- DTBC-0036 +- Automated installation of missing plugins must be disabled. +- <VulnDiscussion>The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Specify whether the plugin finder should be disabled +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If DisablePluginFinder is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the DisablePluginFinder value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0037 - Online revocation checks +- <GroupDescription></GroupDescription> +- +- DTBC-0037 +- Online revocation checks must be done. +- <VulnDiscussion>By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Whether online OCSP/CRL checks are performed +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0038 - Safe browsing +- <GroupDescription></GroupDescription> +- +- DTBC-0038 +- Safe Browsing must be enabled, +- <VulnDiscussion>Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Enable Safe Browsing +- Policy State: Enabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding. +- +- +- +- +- +- DTBC0039 - History +- <GroupDescription></GroupDescription> +- +- DTBC-0039 +- Browser history must be saved. +- <VulnDiscussion>This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Disable saving browser history +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding. +- +- +- +- +- +- DTBC0040 - Plugin execution +- <GroupDescription></GroupDescription> +- +- DTBC-0040 +- Default behavior must block webpages from automatically running plugins. +- <VulnDiscussion>This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it. +- 1 = Allow all sites to automatically run plugins +- 2 = Block all plugins +- 3 = Click to play. +-</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ +- Policy Name: Default plugins setting +- Policy State: Enabled +- Policy Value: Click to play +- +- +- +- Universal method: +- 1. In the omnibox(address bar) type chrome://policy +- 2. If the policy 'DefaultPluginsSetting' is not shown or is not set to 'Click to play', this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting +- 3. If this key does not exist or is not set to 3 this is a finding. +- +- +- +- +- +- DTBC0045 - Per session cookies +- <GroupDescription></GroupDescription> +- +- DTBC-0045 +- Session only based cookies must be disabled. +- <VulnDiscussion>Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +- Policy Name: Allow session only cookies on these sites +- Policy State: Disabled +- Policy Value: N/A +- +- +- +- Universal method: +- 1. In the omnibox(address bar) type chrome://policy +- 2. If the policy 'CookiesSessionOnlyForUrls' does not show up or has any defined values, this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls +- 3. If this key does not exist or has any defined values this is a finding +- +- +- +- +- +- DTBC0048 - Set home page URL +- <GroupDescription></GroupDescription> +- +- DTBC-0048 +- The home page must be set to a trusted site. +- <VulnDiscussion>When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser. The browser must have an organizationally approved default home page. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Home page +- Policy Name: Configure the home page URL +- Policy State: Enabled +- Policy Value: An organizationally approved default home page. +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If HomepageLocation is not displayed under the Policy Name column or it is not set to an organizationally approved default home page. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the HomepageLocation value name does not exist or its value data is not set to an organizationally approved default home page. +- +- +- +- +- DTBC0050 - Auto updates +- <GroupDescription></GroupDescription> +- +- DTBC-0050 +- Browser must support auto-updates. +- <VulnDiscussion>One of the most effective defenses against exploitation of browser vulnerabilities is to ensure the version of the browser is current. Frequent updates provide corrections to discovered vulnerabilities and the timely update reduces the window for zero day attacks. Automatic installation of updates and patches is the most effective method for keeping the browser software current. The browser must have the capability to install software updates and patches automatically. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows registry: +- 1. Start regedit +- 2. Navigate to Key Path: HKLM\Software\Policies\Google\Update +- Value Name: AutoUpdateCheckPeroidMinutes +- Value Type: Boolean (REG_DWORD) +- Value Data: 43200 or less, but not 0. +- +- +- +- Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Update\ +- 3. If the AutoUpdateCheckPeriodMinutes value name does not exist or its value is set to 0 or greater than 43200, this is a finding. +- +- +- +- +- +- +- DTBC0051 - Plugins allowed for urls +- <GroupDescription></GroupDescription> +- +- DTBC-0051 +- URLs must be whitelisted for plugin use +- <VulnDiscussion></VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +- +- DPMS Target Google Chrome Current +- DISA FSO +- DPMS Target +- Google Chrome Current +- 2591 +- +- Windows group policy: +- 1. Open the group policy editor tool with gpedit.msc +- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings +- Policy Name: Allow plugins on these sites +- Policy State: Enabled +- Policy Value 1: *.mil +- Policy Value 2: *.gov +- +- +- +- +- Universal method: +- 1. In the omnibox (address bar) type chrome://policy +- 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding. +- +-Windows method: +- 1. Start regedit +- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ +- 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding. +- +-Suggested: the set or subset of *.mil and *.gov +- +- +- +- +- +- +diff --git a/shared/references/disa-google-chrome-browser-v2r3-stig.xml b/shared/references/disa-google-chrome-browser-v2r3-stig.xml +new file mode 100644 +index 00000000000..02f852083b1 +--- /dev/null ++++ b/shared/references/disa-google-chrome-browser-v2r3-stig.xml +@@ -0,0 +1,589 @@ ++acceptedGoogle Chrome Current Windows Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 23 Apr 20213.2.2.360791.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000039<GroupDescription></GroupDescription>DTBC-0001Firewall traversal from remote host must be disabled.<VulnDiscussion>Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57545V-44711CCI-001414Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options ++ Policy Name: Enable firewall traversal from remote access host ++ Policy State: Disabled ++ Policy Value: N/A ++ ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows registry: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding. ++SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0002Site tracking users location must be disabled.<VulnDiscussion>Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. ++ 1 = Allow sites to track the user’s physical location ++ 2 = Do not allow any site to track the user’s physical location ++ 3 = Ask whenever a site wants to track the user’s physical location</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57557V-44723CCI-001166Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ ++ Policy Name: Default geolocation setting ++ Policy State: Enabled ++ Policy Value: Do not allow any site to track the users' physical location ++ ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding. ++SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0004Sites ability to show pop-ups must be disabled.<VulnDiscussion>Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. ++ 1 = Allow all sites to show pop-ups ++ 2 = Do not allow any site to show pop-ups</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57553V-44719CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ ++ Policy Name: Default popups setting ++ Policy State: Enabled ++ Policy Value: Do not allow any site to show popups ++ ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding. ++ ++Note: If AO Approved exceptions to this rule have been enabled, this is not a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0005Extensions installation must be blocklisted by default.<VulnDiscussion>Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blocklisted. A blocklist value of '*' means all extensions are blocklisted unless they are explicitly listed in the allowlist. If this policy is left not set the user can install any extension in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57561V-44727CCI-000169Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ ++ Policy Name: Configure extension installation blocklist ++ Policy State: Enabled ++ Policy Value: *Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If ExtensionInstallBlocklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist ++ 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding. SRG-APP-000210<GroupDescription></GroupDescription>DTBC-0006Extensions that are approved for use must be allowlisted.<VulnDiscussion>The allowlist should only contain organizationally approved extensions. This is to prevent a user from accidently allowlisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the allowlist. By default, no extensions are allowlisted. If all extensions have been blacklisted by policy, then the allowlist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are allowlisted, then no extensions can be installed when combined with blacklisting all extensions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57563V-44729CCI-001170Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ ++Policy Name: Configure extension installation allowlist ++Policy State: Enabled ++Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf ++ ++Note: oiigbmnaadbkfbmpbfijlflahbdbdgdfis the extension ID for scriptno (a commonly used Chrome extension), other extension IDs may vary.Universal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If ExtensionInstallAllowlist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to the key HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist ++3. If the ExtensionInstallAllowlist key is not set to 1 and oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator-approved extension IDs, then this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0007The default search providers name must be set.<VulnDiscussion>Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57567V-44733CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ ++ Policy Name: Default search provider name ++ Policy State: Enabled ++ Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) ++ ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding. ++SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0008The default search provider URL must be set to perform encrypted searches.<VulnDiscussion>Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57569V-44735CCI-000381If the system is on the SIPRNet, this requirement is NA. ++ ++Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ ++ Policy Name: Default search provider search URL ++ Policy State: Enabled ++ Policy Value: Must be set to an organization-approved encrypted search string ++ (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} )If the system is on the SIPRNet, this requirement is NA. ++ ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization-approved encrypted search string (ex. https://www.google.com/?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization-approved encrypted search string (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0009Default search provider must be enabled.<VulnDiscussion>Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57571V-44737CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ ++ Policy Name: Enable the default search provider ++ Policy State: Enabled ++ Policy Value: N/A ++ ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding. ++ ++Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0011The Password Manager must be disabled.<VulnDiscussion>Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57575V-44741CCI-000381Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\ ++Policy Name: Enable Saving Passwords to the Password Manager ++Policy State: Disabled ++Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding. ++SRG-APP-000112<GroupDescription></GroupDescription>DTBC-0017Background processing must be disabled.<VulnDiscussion>Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57587V-44753CCI-001695Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Continue running background apps when Google Chrome is closed ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding. ++SRG-APP-000047<GroupDescription></GroupDescription>DTBC-0020Google Data Synchronization must be disabled.<VulnDiscussion>Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57593V-44759CCI-001374Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Disable synchronization of data with Google ++ Policy State: Enabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding. ++SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0021The URL protocol schema javascript must be disabled.<VulnDiscussion>Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols). ++This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57595V-44761CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Block access to a list of URLs ++ Policy State: Enabled ++ Policy Value 1: javascript://*Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist ++ 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding. ++ ++SRG-APP-000047<GroupDescription></GroupDescription>DTBC-0023Cloud print sharing must be disabled.<VulnDiscussion>Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57599V-44765CCI-001374Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Enable Google Cloud Print proxy ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTBC-0025Network prediction must be disabled.<VulnDiscussion>Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57603V-44769CCI-000366Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Enable network prediction ++Policy State: Enabled ++Policy Value: Do not predict network actions on any network connectionUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If "NetworkPredictionOptions" is not displayed under the “Policy Name” column or it is not set to "2" under the “Policy Value” column, this is a finding. ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the "NetworkPredictionOptions" value name does not exist or its value data is not set to "2," this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0026Metrics reporting to Google must be disabled.<VulnDiscussion>Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57605V-44771CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Enable reporting of usage and crash-related data ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding. ++ ++Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0027Search suggestions must be disabled.<VulnDiscussion>Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57607V-44773CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Enable search suggestions ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding. ++SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0029Importing of saved passwords must be disabled.<VulnDiscussion>Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57609V-44775CCI-000381Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Import saved passwords from default browser on first run ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.SRG-APP-000080<GroupDescription></GroupDescription>DTBC-0030Incognito mode must be disabled.<VulnDiscussion>Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. ++ 0 = Incognito mode available. ++ 1 = Incognito mode disabled. ++ 2 = Incognito mode forced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57611V-44777CCI-000166Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Incognito mode availability ++ Policy State: Enabled ++ Policy Value: Incognito mode disabledUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding. ++SRG-APP-000605<GroupDescription></GroupDescription>DTBC-0037Online revocation checks must be done.<VulnDiscussion>By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57623V-44789CCI-000185Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Whether online OCSP/CRL checks are performed ++ Policy State: Enabled ++ Policy Value: N/A ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding. ++SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0038Safe Browsing must be enabled,<VulnDiscussion>Allows you to control whether Google Chrome's Safe Browsing feature is enabled and the mode it operates in. ++ ++If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active. ++ ++If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active in the standard mode. ++ ++If this policy is set to 'EnhancedProtection' (value 2), Safe Browsing is always active in the enhanced mode, which provides better security, but requires sharing more browsing information with Google.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57625V-44791CCI-001166Windows group policy: ++ 1. Open the “group policy editor” tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing Settings ++ Policy Name: Safe Browsing Protection Level ++ Policy State: Enabled ++ Policy Value: StandardProtection or EnhancedProtectionUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If SafeBrowsingProtectionLevel is not displayed under the Policy Name column or it is not set to 1 or 2 under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the SafeBrowsingProtectionLevel value name does not exist or its value data is not set to 1 or 2, then this is a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTBC-0039Browser history must be saved.<VulnDiscussion>This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57627V-44793CCI-001199Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Disable saving browser history ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding. ++SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0040Default behavior must block webpages from automatically running plugins.<VulnDiscussion>This policy allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites. If this policy is left not set, the user will be able to change this setting manually. ++ 1 = Allow all sites to automatically run Flash plugin ++ 2 = Block the Flash plugin ++ 3 = Click to play</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57629V-44795CCI-000169Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ ++ Policy Name: Default Flash setting ++ Policy State: Enabled ++ Policy Value: Click to playUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If the policy "DefaultPluginsSetting" is not shown or is not set to "3", this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting ++ 3. If this key "DefaultPluginsSetting" does not exist or is not set to "3", this is a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTBC-0050The version of Google Chrome running on the system must be a supported version.<VulnDiscussion>Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57639V-44805CCI-002605Install a supported version of Google Chrome.Universal method: ++1. In the omnibox (address bar) type chrome://settings/help ++2. Cross-reference the build information displayed with the Google Chrome site to identify, at minimum, the oldest supported build available. As of July 2019, this is 74.x.x. ++3. If the installed version of Chrome is not supported by Google, this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0052Deletion of browser history must be disabled.<VulnDiscussion>Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-89845V-75165CCI-000169Windows group policy: ++ 1. Open the group policy editor tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Enable deleting browser and download history ++ Policy State: Disabled ++ Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If the policy "AllowDeletingBrowserHistory" is not shown or is not set to false, this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "AllowDeletingBrowserHistory" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0053Prompt for download location must be enabled.<VulnDiscussion>If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-94633V-79929CCI-000169Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Ask where to save each file before downloading ++ Policy State: Enabled ++ Policy Value: N/AUniversal method: ++1. In the omnibox (address bar) type chrome:// policy ++2. If "PromptForDownloadLocation" is not displayed under the "Policy Name" column or it is not set to "true" under the "Policy Value" column, then this is a finding. ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the "PromptForDownloadLocation" value name does not exist or its value data is not set to "1", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0055Download restrictions must be configured.<VulnDiscussion>Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the "Block dangerous downloads" option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings. When the "Block potentially dangerous downloads" option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads. When the "Block all downloads" option is chosen, all downloads are blocked. When this policy is not set, (or the "No special restrictions" option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results. ++ ++Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options. See https://developers.google.com/safe-browsing for more info on SafeBrowsing. ++0 = No special restrictions ++1 = Block dangerous downloads ++2 = Block potentially dangerous downloads ++3 = Block all downloads</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-94635V-79931CCI-000169If the system is on the SIPRNet, this requirement is NA. ++Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Allow download restrictions ++Policy State: 1 or 2 ++Policy Value: N/AIf the system is on the SIPRNet, this requirement is NA. ++Universal method: ++1. In the omnibox (address bar) type chrome:// policy ++2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is not set to "1" or "2" under the "Policy Value" column, then this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the "DownloadRestrictions" value name does not exist or its value data is not set to "1" or "2", then this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0057Safe Browsing Extended Reporting must be disabled.<VulnDiscussion>Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting. Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites. ++If the setting is set to "True", then reports will be created and sent whenever necessary (such as when a security interstitial is shown). ++If the setting is set to "False", reports will never be sent. ++If this policy is set to "True" or "False", the user will not be able to modify the setting. ++If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96299V-81585CCI-001166Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing settings\ ++Policy Name: Enable Safe Browsing Extended Reporting ++Policy State: Disabled ++Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "SafeBrowsingExtendedReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "SafeBrowsingExtendedReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0058WebUSB must be disabled.<VulnDiscussion>Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices. ++If this policy is left not set, ”3” will be used, and the user will be able to change it. ++2 = Do not allow any site to request access to USB devices via the WebUSB API ++3 = Allow sites to ask the user to grant access to a connected USB device</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96301V-81587CCI-000381Windows group policy: ++ 1. Open the “group policy editor” tool with gpedit.msc ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings ++ Policy Name: Control use of the WebUSB API ++ Policy State: Enabled ++ Policy Value: 2 ++Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "DefaultWebUsbGuardSetting" is not displayed under the "Policy Name" column or it is not set to "2", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "DefaultWebUsbGuardSetting" value name does not exist or its value data is not set to "2", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0060Chrome Cleanup must be disabled.<VulnDiscussion>If set to “False”, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled. ++If set to “True” or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled. ++This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96305V-81591CCI-000169Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome ++Policy Name: Enables Chrome Cleanup on Windows ++Policy State: Disabled ++Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "ChromeCleanupEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "ChromeCleanupEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0061Chrome Cleanup reporting must be disabled.<VulnDiscussion>If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata and registry keys as described by the Chrome Privacy Whitepaper. ++If set to “false”, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so. ++If set to “true”, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it. ++This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96307V-81593CCI-000169Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome ++Policy Name: Control how Chrome Cleanup reports data to Google ++Policy State: Disabled ++Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "ChromeCleanupReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "ChromeCleanupReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0063Google Cast must be disabled.<VulnDiscussion>If this policy is set to ”True” or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the “Cast toolbar” icon. ++If this policy set to ”False”, Google Cast will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96311V-81597CCI-000381Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Google Cast ++Policy Name: Enable Google Cast ++Policy State: Disabled ++Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "EnableMediaRouter" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "EnableMediaRouter" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0064Autoplay must be disabled.<VulnDiscussion>Allows you to control if videos can play automatically (without user consent) with audio content in Google Chrome. ++If the policy is set to “True”, Google Chrome is allowed to autoplay media. If the policy is set to “False”, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns. By default, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96295V-81581CCI-000381Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Allow media autoplay ++Policy State: Disabled ++Policy Value: N/AUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "AutoplayAllowed" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "AutoplayAllowed" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTBC-0065URLs must be whitelisted for Autoplay use.<VulnDiscussion>Controls the whitelist of URL patterns that autoplay will always be enabled on. ++If the “AutoplayAllowed” policy is set to “True” then this policy will have no effect. ++If the “AutoplayAllowed” policy is set to “False” then any URL patterns set in this policy will still be allowed to play.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96303V-81589CCI-001170Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome ++Policy Name: Allow media autoplay on a whitelist of URL patterns ++Policy State: Enabled ++Policy Value 1: [*.]mil ++Policy Value 2: [*.]govUniversal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If “AutoplayWhitelist” is not displayed under the “Policy Name” column or it is not set to a list of administrator-approved URLs under the “Policy Value” column, this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the “AutoplayWhitelist” key does not exist and it does not contain a list of administrator-approved URLs, this is a finding. ++Suggested: the set or subset of [*.]mil and [*.]govSRG-APP-000206<GroupDescription></GroupDescription>DTBC-0066Anonymized data collection must be disabled.<VulnDiscussion>Enable URL-keyed anonymized data collection in Google Chrome and prevent users from changing this setting. ++URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better. ++If you enable this policy, URL-keyed anonymized data collection is always active. ++If you disable this policy, URL-keyed anonymized data collection is never active. ++If this policy is left not set, URL-keyed anonymized data collection will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-101303V-91203CCI-001166Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Enable URL-keyed anonymized data collection ++Policy State: Disabled ++Policy Value: NAUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If "UrlKeyedAnonymizedDataCollectionEnabled" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the “UrlKeyedAnonymizedDataCollectionEnabled" value name does not exist or its value data is not set to "0," this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0067Collection of WebRTC event logs must be disabled.<VulnDiscussion>If the policy is set to “true”, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g., Google Meet), and upload those logs to Google. ++If the policy is set to “false”, or is unset, Google Chrome may not collect nor upload such logs. ++These logs contain diagnostic information helpful when debugging issues with audio or video calls in Chrome, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs do not contain audio or video contents from the call. ++This data collection by Chrome can only be triggered by Google's web services, such as Google Hangouts or Google Meet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-101305V-91205CCI-001166Windows group policy: ++1. Open the group policy editor tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Allow collection of WebRTC event logs from Google services ++Policy State: Disabled ++Policy Value: NAUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If "WebRtcEventLogCollectionAllowed" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the "WebRtcEventLogCollectionAllowed" value name does not exist or its value data is not set to "0," this is a finding.SRG-APP-000266<GroupDescription></GroupDescription>DTBC-0068Chrome development tools must be disabled.<VulnDiscussion>While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-106629V-97525CCI-001312Windows group policy: ++1. Open the "group policy editor" tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome ++Policy Name: Control where Developer Tools can be used ++Policy State: Enabled ++Policy Value: Disallow usage of the Developer ToolsUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If the policy "DeveloperToolsAvailability" is not shown or is not set to "2", this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the key "DeveloperToolsAvailability" does not exist or is not set to "2", this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0069Guest Mode must be disabled.<VulnDiscussion>If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode. ++ ++If this policy is set to false, Google Chrome will not allow guest profiles to be started.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111829V-102867CCI-001166Windows group policy: ++1. Open the "group policy editor" tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Enable guest mode in browser ++Policy State: DisabledUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If BrowserGuestModeEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the BrowserGuestModeEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0070AutoFill for credit cards must be disabled.<VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete credit card information in web forms using previously stored information. ++If this setting is disabled, Autofill will never suggest or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web. ++ ++If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111831V-102869CCI-001166Windows group policy: ++1. Open the "group policy editor" tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Enable AutoFill for credit cards ++Policy State: DisabledUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If AutofillCreditCardEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the AutofillCreditCardEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0071AutoFill for addresses must be disabled.<VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete address information in web forms using previously stored information. ++If this setting is disabled, Autofill will never suggest or fill address information, nor will it save additional address information that the user might submit while browsing the web. ++ ++If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111833V-102871CCI-001166Windows group policy: ++1. Open the "group policy editor" tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Enable AutoFill for addresses ++Policy State: DisabledUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If AutofillAddressEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the AutofillAddressEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0072Import AutoFill form data must be disabled.<VulnDiscussion>This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. ++If disabled, the autofill form data is not imported. ++ ++If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111835V-102873CCI-001166Windows group policy: ++1. Open the "group policy editor" tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++Policy Name: Import autofill form data from default browser on first run ++Policy State: DisabledUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If ImportAutofillFormData is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. ++ ++Windows method: ++1. Start regedit ++2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++3. If the ImportAutofillFormData value name does not exist or its value data is not set to 0, this is a finding. ++SRG-APP-000416<GroupDescription></GroupDescription>DTBC-0056Chrome must be configured to allow only TLS.<VulnDiscussion>If this policy is not configured then Google Chrome uses a default minimum version, which is TLS 1.0. Otherwise, it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". ++When set, Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored. ++"tls1" = TLS 1.0 ++"tls1.1" = TLS 1.1 ++"tls1.2" = TLS 1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-81583CCI-002450Windows group policy: ++ 1. Open the “group policy editor” tool with gpedit.msc. ++ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ ++ Policy Name: Minimum SSL version enabled ++ Policy State: Enabled ++ Policy Value: TLS 1.2Universal method: ++ 1. In the omnibox (address bar) type chrome://policy ++ 2. If "SSLVersionMin" is not displayed under the "Policy Name" column or it is not set to "tls1.2", this is a finding. ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the "SSLVersionMin" value name does not exist or its value data is not set to "tls1.2", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0073Web Bluetooth API must be disabled.<VulnDiscussion>Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices. ++ ++Leaving the policy unset lets sites ask for access, but users can change this setting. ++ ++2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API ++3 = Allow sites to ask the user to grant access to a nearby Bluetooth device</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-34246V-26961CCI-000381Windows group policy: ++1. Open the “group policy editor” tool with gpedit.msc ++2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings ++ Policy Name: Control use of the Web Bluetooth API ++ Policy State: Enabled ++ Policy Value: Do not allow any site to request access to Bluetooth devices via the Web Bluetooth APIUniversal method: ++1. In the omnibox (address bar) type chrome://policy ++2. If DefaultWebBluetoothGuardSetting is not displayed under the Policy Name column or it is not set to 2 under the Policy Value column, then this is a finding. ++ ++Windows method: ++ 1. Start regedit ++ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ ++ 3. If the DefaultWebBluetoothGuardSetting value name does not exist or its value data is not set to 2, then this is a finding. +\ No newline at end of file + +From abf1546334f7d7043cdcac34f5cf1ee6796d6521 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 26 Jul 2021 18:26:57 +0200 +Subject: [PATCH 09/10] Remove documentation on how to manually generate + stig_overlay.xml files. + +--- + .../04_updating_reference_and_overlay.md | 32 ------------------- + 1 file changed, 32 deletions(-) + delete mode 100644 docs/manual/developer/04_updating_reference_and_overlay.md + +diff --git a/docs/manual/developer/04_updating_reference_and_overlay.md b/docs/manual/developer/04_updating_reference_and_overlay.md +deleted file mode 100644 +index df16d8b7bae..00000000000 +--- a/docs/manual/developer/04_updating_reference_and_overlay.md ++++ /dev/null +@@ -1,32 +0,0 @@ +-# Updating Reference and Overlay Content +- +-## Reference Content +- +-### STIG Reference Content +- +-## STIG Overlay Content +- +-`stig_overlay.xml` maps an official product/version STIG release with a +-SSG product/version STIG release. +- +-**`stig_overlay.xml` should never be manually created or updated. It +-should always be generated using `create-stig-overlay.py`.** +- +-### Creating stig_overlay.xml +- +-To create `stig_overlay.xml`, there are two things that are required: an +-official non-draft STIG release from DISA containing a XCCDF file (e.g. +-`U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml` and an XCCDF +-file built by the project (e.g. `ssg-rhel7-xccdf.xml`) +- +-Example using `create-stig-overlay.py`: +- +- $ PYTHONPATH=`./.pyenv.sh` utils/create-stig-overlay.py --disa-xccdf=disa-stig-rhel7-v1r12-xccdf-manual.xml --ssg-xccdf=ssg-rhel7-xccdf.xml -o rhel7/overlays/stig_overlay.xml +- +-### Updating stig_overlay.xml +- +-To update `stig_overlay.xml`, use the `create-stig-overlay.py` script as +-mentioned above. Then, submit a pull request to replace the +-`stig_overlay.xml` file that is needing to be updated. Please note that +-as a part of this update rules that have been removed from the official +-STIG will be removed here as well. + +From 58b06ff7b3c44f624ea40b70a23d565fdc80e213 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 27 Jul 2021 18:32:03 +0200 +Subject: [PATCH 10/10] Fix STIG XSLT transformation to show important and + correct information. + +--- + shared/transforms/shared_xccdf-apply-overlay-stig.xslt | 7 ++++--- + shared/transforms/shared_xccdf2table-stig.xslt | 2 ++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt +index 89949b38550..945f709b956 100644 +--- a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt ++++ b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt +@@ -21,7 +21,8 @@ + + + +- ++ ++ + + + +@@ -29,11 +30,11 @@ + + + +- ++ + SRG-OS-ID + + +- ++ + <xsl:value-of select="$overlay_title"/> + + +diff --git a/shared/transforms/shared_xccdf2table-stig.xslt b/shared/transforms/shared_xccdf2table-stig.xslt +index 9b38fb4906f..3746c386c0d 100644 +--- a/shared/transforms/shared_xccdf2table-stig.xslt ++++ b/shared/transforms/shared_xccdf2table-stig.xslt +@@ -53,6 +53,7 @@ + Check Procedures + Fixtext + Version ++ Mapped Rule + + Notes + +@@ -89,6 +90,7 @@ + + + ++ + +
      +
      diff --git a/SOURCES/scap-security-guide-0.1.58-update_stig_references-PR_7366.patch b/SOURCES/scap-security-guide-0.1.58-update_stig_references-PR_7366.patch new file mode 100644 index 0000000..523c953 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_stig_references-PR_7366.patch @@ -0,0 +1,89 @@ +From 3d7b01a7fdc27f7e5a31ba508f7f84dab446aa4b Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Wed, 16 Jun 2021 16:34:59 +0200 +Subject: [PATCH 1/5] Add accounts_password_pam_dictcheck to UBTU-20-010056 + +--- + products/ubuntu2004/profiles/stig.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile +index 4d03bfe7ae..ac9685809c 100644 +--- a/products/ubuntu2004/profiles/stig.profile ++++ b/products/ubuntu2004/profiles/stig.profile +@@ -113,6 +113,8 @@ selections: + - accounts_password_pam_ocredit + + # UBTU-20-010056 The Ubuntu operating system must prevent the use of dictionary words for passwords. ++ - var_password_pam_dictcheck=1 ++ - accounts_password_pam_dictcheck + + # UBTU-20-010057 The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. + - var_password_pam_retry=3 + +From 6c3c586a7fe27d68052428e02843c573f9cbd559 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Wed, 4 Aug 2021 18:11:48 +0200 +Subject: [PATCH 2/5] Add ubuntu2004 to prodtype in + accounts_password_pam_dictcheck + +--- + .../accounts_password_pam_dictcheck/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +index 2990150c0a..00da0397b0 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel8 ++prodtype: fedora,rhel8,ubuntu2004 + + title: 'Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words' + + +From b523676430765ab7fff09f790618f091d3f916e2 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Wed, 4 Aug 2021 18:12:59 +0200 +Subject: [PATCH 4/5] Add stigid@ubuntu2004 to accounts_password_pam_dictcheck + +--- + .../accounts_password_pam_dictcheck/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +index bae2db25fe..226329d752 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +@@ -29,6 +29,7 @@ references: + nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) + srg: SRG-OS-000480-GPOS-00225 + stigid@rhel8: RHEL-08-020300 ++ stigid@ubuntu2004: UBTU-20-010056 + + ocil_clause: 'dictcheck is not found or not equal to the required value' + + +From 39973c39ea17fb13730f1bef239783464c1b4b01 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Wed, 4 Aug 2021 18:13:16 +0200 +Subject: [PATCH 5/5] Add pam platform to accounts_password_pam_dictcheck + +--- + .../accounts_password_pam_dictcheck/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +index 226329d752..d0d4b8c5c5 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml +@@ -39,6 +39,7 @@ ocil: |- + The dictcheck parameter should be equal to 1. The value should look like +
      dictcheck=1
      + ++platform: pam + + template: + name: accounts_password diff --git a/SOURCES/scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch b/SOURCES/scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch new file mode 100644 index 0000000..27d9f09 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch @@ -0,0 +1,821 @@ +From 7899e18d486b6181f3213c3c1351f24cdce84bf8 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 10:34:47 -0500 +Subject: [PATCH 01/20] Split RHEL-08-040100 into two rules + +One for the firewalld package and one for the firewalld service. +--- + .../firewalld_activation/service_firewalld_enabled/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index cff9581e76..42849bdd5a 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -40,7 +40,7 @@ references: + srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 + stigid@ol7: OL07-00-040520 + stigid@rhel7: RHEL-07-040520 +- stigid@rhel8: RHEL-08-040100 ++ stigid@rhel8: RHEL-08-040101 + stigid@sle15: SLES-15-010220 + + ocil: |- +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 965068a691..9d0145a96f 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -968,9 +968,11 @@ selections: + # RHEL-08-040090 + + # RHEL-08-040100 +- - service_firewalld_enabled + - package_firewalld_installed + ++ # RHEL-08-040101 ++ - service_firewalld_enabled ++ + # RHEL-08-040110 + - wireless_disable_interfaces + + +From 7396acddc284acc54d66640e7e0bc5251334bc0b Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 11:44:59 -0500 +Subject: [PATCH 02/20] Split the rule for RHEL-08-020040 + +Split and package_tmux_installed and configure_tmux_lock_command +--- + .../console_screen_locking/package_tmux_installed/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +index 550eaea8bb..120d1c49e0 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +@@ -40,7 +40,7 @@ references: + nist-csf: PR.AC-7 + ospp: FMT_MOF_EXT.1 + srg: SRG-OS-000030-GPOS-00011,SRG-OS-000028-GPOS-00009 +- stigid@rhel8: RHEL-08-020040 ++ stigid@rhel8: RHEL-08-020039 + vmmsrg: SRG-OS-000030-VMM-000110 + + ocil_clause: 'the package is not installed' +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 9d0145a96f..9f57b28f4f 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -481,8 +481,10 @@ selections: + # RHEL-08-020030 + - dconf_gnome_screensaver_lock_enabled + +- # RHEL-08-020040 ++ # RHEL-08-020039 + - package_tmux_installed ++ ++ # RHEL-08-020040 + - configure_tmux_lock_command + + # RHEL-08-020041 + +From 6e3a93e173fbd12640e585d579f1e1d0afd3f419 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 11:49:59 -0500 +Subject: [PATCH 03/20] Split RHEL-08-040100 + +One for the openssh-server package and one for the openssh-server service. +--- + .../services/ssh/package_openssh-server_installed/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index 0b2a660c29..b551f08f38 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -30,7 +30,7 @@ references: + srg: SRG-OS-000423-GPOS-00187,SRG-OS-000424-GPOS-00188,SRG-OS-000425-GPOS-00189,SRG-OS-000426-GPOS-00190 + stigid@ol7: OL07-00-040300 + stigid@rhel7: RHEL-07-040300 +- stigid@rhel8: RHEL-08-040160 ++ stigid@rhel8: RHEL-08-040159 + stigid@ubuntu2004: UBTU-20-010042 + + ocil_clause: 'the package is not installed' +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 9f57b28f4f..66f70cdfd5 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1037,8 +1037,10 @@ selections: + + # RHEL-08-040150 + +- # RHEL-08-040160 ++ # RHEL-08-040159 + - package_openssh-server_installed ++ ++ # RHEL-08-040160 + - service_sshd_enabled + + # RHEL-08-040161 + +From 097682c4e225b7bdefd7b38c89cadf984540da04 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 11:56:17 -0500 +Subject: [PATCH 04/20] Split RHEL-08-040140 + +Package usbguard and service usbguard are split out into their own +STIG ID. now. +--- + .../services/usbguard/package_usbguard_installed/rule.yml | 2 +- + .../services/usbguard/service_usbguard_enabled/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 8 ++++++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +index 333718182e..19ef8aaca6 100644 +--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml ++++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +@@ -48,7 +48,7 @@ references: + disa: CCI-001958 + ism: "1418" + srg: SRG-OS-000378-GPOS-00163 +- stigid@rhel8: RHEL-08-040140 ++ stigid@rhel8: RHEL-08-040139 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +index 86adda9ecc..4f008129ea 100644 +--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml ++++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +@@ -27,7 +27,7 @@ references: + nist: CM-8(3)(a),IA-3 + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000378-GPOS-00163 +- stigid@rhel8: RHEL-08-040140 ++ stigid@rhel8: RHEL-08-040141 + + ocil_clause: 'the service is not enabled' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 66f70cdfd5..fd090e4058 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1030,11 +1030,15 @@ selections: + - package_fapolicyd_installed + - service_fapolicyd_enabled + +- # RHEL-08-040140 ++ # RHEL-08-040139 + - package_usbguard_installed +- - service_usbguard_enabled ++ ++ # RHEL-08-040140 + - usbguard_generate_policy + ++ # RHEL-08-040141 ++ - service_usbguard_enabled ++ + # RHEL-08-040150 + + # RHEL-08-040159 + +From 1b28e2bed919e7f16519b051d39f7df640498d4f Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 08:01:13 -0500 +Subject: [PATCH 05/20] Split RHEL-08-030180 + +One for the auditd package and one for the auditd service. +--- + linux_os/guide/system/auditing/service_auditd_enabled/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +index e10e8c7782..c7ce75e87c 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml ++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +@@ -55,7 +55,7 @@ references: + stigid@sle12: SLES-12-020010 + stigid@sle15: SLES-15-030050 + nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a) +- stigid@rhel8: RHEL-08-010560 ++ stigid@rhel8: RHEL-08-030381 + + ocil: |- + {{{ ocil_service_enabled(service="auditd") }}} +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index fd090e4058..682034af4d 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -683,6 +683,9 @@ selections: + # RHEL-08-030180 + - package_audit_installed + ++ # RHEL-08-030181 ++ - service_auditd_enabled ++ + # RHEL-08-030190 + - audit_rules_privileged_commands_su + + +From 0cf0bb3f6153be26abd4622221d73356be667d1f Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 12:04:34 -0500 +Subject: [PATCH 06/20] Split RHEL-08-010521 + +Disabling Kerb5 and gssapi auth for sshd move split into two STIG ids. +--- + .../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +index 946ba7f1d6..2134da2839 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +@@ -36,7 +36,7 @@ references: + srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227 + stigid@ol7: OL07-00-040430 + stigid@rhel7: RHEL-07-040430 +- stigid@rhel8: RHEL-08-010521 ++ stigid@rhel8: RHEL-08-010522 + vmmsrg: SRG-OS-000480-VMM-002000 + + ocil_clause: 'it is commented out or is not disabled' +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 682034af4d..f913545106 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -318,6 +318,8 @@ selections: + + # RHEL-08-010521 + - sshd_disable_kerb_auth ++ ++ # RHEL-08-010522 + - sshd_disable_gssapi_auth + + # RHEL-08-010540 + +From 994b19da2cb0f88d6eb0533d1ba4cae362351e56 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 12:10:06 -0500 +Subject: [PATCH 07/20] Split RHEL-08-010471 + +One for the rng-tools package and one for the rngd service. +--- + .../software/system-tools/package_rng-tools_installed/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +index 33d5625fee..663a270626 100644 +--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml +@@ -21,7 +21,7 @@ identifiers: + references: + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 +- stigid@rhel8: RHEL-08-010471 ++ stigid@rhel8: RHEL-08-010472 + + ocil_clause: 'the package is not installed' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index f913545106..e6ef5ee42c 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -299,6 +299,8 @@ selections: + + # RHEL-08-010471 + - service_rngd_enabled ++ ++ # RHEL-08-010472 + - package_rng-tools_installed + + # RHEL-08-010480 + +From 2d1756e3fe017645922b1622dac139a249c48a12 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 12:14:53 -0500 +Subject: [PATCH 08/20] Split RHEL-08-010200 + +idle timeout and keepalive are now split +--- + .../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index 95c840fc5f..5a44255013 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -53,7 +53,7 @@ references: + srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175 + stigid@ol7: OL07-00-040320 + stigid@rhel7: RHEL-07-040320 +- stigid@rhel8: RHEL-08-010200 ++ stigid@rhel8: RHEL-08-010201 + stigid@sle12: SLES-12-030190 + stigid@sle15: SLES-15-010280 + stigid@ubuntu2004: UBTU-20-010037 +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index e6ef5ee42c..036fd00808 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -156,9 +156,11 @@ selections: + - dir_perms_world_writable_sticky_bits + + # RHEL-08-010200 +- - sshd_set_idle_timeout + - sshd_set_keepalive_0 + ++ # RHEL-08-010201 ++ - sshd_set_idle_timeout ++ + # RHEL-08-010210 + - file_permissions_var_log_messages + + +From 0823a6f84d32338223502dfc93b09df5225debf6 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 12:23:31 -0500 +Subject: [PATCH 09/20] Split RHEL-08-010141 + +GRUB2 UEFI username and password split +--- + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index a5f9349882..8a98cbdc95 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -56,7 +56,7 @@ references: + srg: SRG-OS-000080-GPOS-00048 + stigid@ol7: OL07-00-010490 + stigid@rhel7: RHEL-07-010490 +- stigid@rhel8: RHEL-08-010140 ++ stigid@rhel8: RHEL-08-010141 + + ocil_clause: 'it does not' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 036fd00808..83500c35b3 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -121,6 +121,8 @@ selections: + + # RHEL-08-010140 + - grub2_uefi_password ++ ++ # RHEL-08-010141 + - grub2_uefi_admin_username + + # RHEL-08-010150 + +From a4dd46d84d9ab8a9fd4984cbc1b9432e2920d3f5 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 12:24:18 -0500 +Subject: [PATCH 10/20] Split RHEL-08-010150 + +GRUB admin username and password split +--- + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index f5cf144e0b..bb2f1bae21 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -49,7 +49,7 @@ references: + srg: SRG-OS-000080-GPOS-00048 + stigid@ol7: OL07-00-010480 + stigid@rhel7: RHEL-07-010480 +- stigid@rhel8: RHEL-08-010150 ++ stigid@rhel8: RHEL-08-010149 + + ocil_clause: 'it does not' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 83500c35b3..10d6fd6ebd 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -125,9 +125,11 @@ selections: + # RHEL-08-010141 + - grub2_uefi_admin_username + ++ # RHEL-08-010149 ++ - grub2_admin_username ++ + # RHEL-08-010150 + - grub2_password +- - grub2_admin_username + + # RHEL-08-010151 + - require_singleuser_auth + +From e1950738e3d5a35027d322589e736e8bfdba98b3 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 28 Jul 2021 12:44:27 -0500 +Subject: [PATCH 11/20] Split RHEL-08-040135 + +Package fapolicyd and service fapolicyd have been split. +--- + .../guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +index 6c2663de9f..4a1cd16608 100644 +--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml ++++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +@@ -24,7 +24,7 @@ references: + nist: CM-6(a),SI-4(22) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154 +- stigid@rhel8: RHEL-08-040135 ++ stigid@rhel8: RHEL-08-040136 + + ocil_clause: 'the service is not enabled' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 10d6fd6ebd..8272b25057 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1041,6 +1041,8 @@ selections: + + # RHEL-08-040135 + - package_fapolicyd_installed ++ ++ # RHEL-08-040136 + - service_fapolicyd_enabled + + # RHEL-08-040139 + +From e259cdaeb85f7f1f371fa11c08a615d1828fe30e Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 08:42:38 -0500 +Subject: [PATCH 12/20] Split RHEL-08-020330 + +Also added a placeholder for RHEL-08-020332 +--- + .../password_storage/no_empty_passwords/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +index 19e5e95d60..75f988ffb2 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +@@ -53,7 +53,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@ol7: OL07-00-010290 + stigid@rhel7: RHEL-07-010290 +- stigid@rhel8: RHEL-08-020330 ++ stigid@rhel8: RHEL-08-020331 + stigid@sle12: SLES-12-010231 + stigid@sle15: SLES-15-020300 + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 8272b25057..793fdd1e87 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -591,9 +591,13 @@ selections: + # - accounts_authorized_local_users + + # RHEL-08-020330 +- - no_empty_passwords + - sshd_disable_empty_passwords + ++ # RHEL-08-020331 ++ - no_empty_passwords ++ ++ # RHEL-08-020332 ++ + # RHEL-08-020340 + - display_login_attempts + + +From 5c2b73b5a4462225e876b29ead9f92da3c5f4331 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 08:45:28 -0500 +Subject: [PATCH 13/20] Split RHEL-08-010050 + +--- + .../gui_login_banner/dconf_gnome_banner_enabled/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +index c84cff33f3..b6ba3edc47 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +@@ -54,7 +54,7 @@ references: + srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 + stigid@ol7: OL07-00-010030 + stigid@rhel7: RHEL-07-010030 +- stigid@rhel8: RHEL-08-010050 ++ stigid@rhel8: RHEL-08-010049 + stigid@sle12: SLES-12-010040 + stigid@sle15: SLES-15-010080 + stigid@ubuntu2004: UBTU-20-010002 +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 793fdd1e87..976c3f1892 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -95,8 +95,10 @@ selections: + # RHEL-08-010040 + - sshd_enable_warning_banner + +- # RHEL-08-010050 ++ # RHEL-08-010049 + - dconf_gnome_banner_enabled ++ ++ # RHEL-08-010050 + - dconf_gnome_login_banner_text + + # RHEL-08-010060 + +From d7c7cefd39de31bb484faad49766bbca22469aea Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 08:47:50 -0500 +Subject: [PATCH 14/20] Split RHEL-08-010130 + +--- + .../accounts_password_pam_unix_rounds_system_auth/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +index d44119622a..0b694b0e0b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml +@@ -32,7 +32,7 @@ references: + anssi: BP28(R32) + disa: CCI-000196 + srg: SRG-OS-000073-GPOS-00041 +- stigid@rhel8: RHEL-08-010130 ++ stigid@rhel8: RHEL-08-010131 + + ocil_clause: 'it does not set the appropriate number of hashing rounds' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 976c3f1892..5230dcd9c5 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -118,9 +118,11 @@ selections: + - accounts_password_all_shadowed_sha512 + + # RHEL-08-010130 +- - accounts_password_pam_unix_rounds_system_auth + - accounts_password_pam_unix_rounds_password_auth + ++ # RHEL-08-010131 ++ - accounts_password_pam_unix_rounds_system_auth ++ + # RHEL-08-010140 + - grub2_uefi_password + + +From f78b565e1f15cff194aef78af2184088fc41782a Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 08:50:42 -0500 +Subject: [PATCH 15/20] Split RHEL-08-010151 + +--- + .../accounts-physical/require_emergency_target_auth/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index 930d3a09fd..e2f61432ba 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -42,7 +42,7 @@ references: + srg: SRG-OS-000080-GPOS-00048 + stigid@ol7: OL07-00-010481 + stigid@rhel7: RHEL-07-010481 +- stigid@rhel8: RHEL-08-010151 ++ stigid@rhel8: RHEL-08-010152 + + ocil_clause: 'the output is different' + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 5230dcd9c5..040228b832 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -137,11 +137,9 @@ selections: + + # RHEL-08-010151 + - require_singleuser_auth +- - require_emergency_target_auth + + # RHEL-08-010152 +- # To be released in V1R3 +- # - require_emergency_target_auth ++ - require_emergency_target_auth + + # RHEL-08-010160 + - set_password_hashing_algorithm_systemauth + +From a7766cf4ccfd00eaad910fb98b02694868000410 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 08:57:18 -0500 +Subject: [PATCH 16/20] Split RHEL-08-040210 + +--- + .../sysctl_net_ipv4_conf_default_accept_redirects/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +index e8555a4895..bee6c117f3 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +@@ -43,7 +43,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@ol7: OL07-00-040640 + stigid@rhel7: RHEL-07-040640 +- stigid@rhel8: RHEL-08-040210 ++ stigid@rhel8: RHEL-08-040209 + stigid@sle12: SLES-12-030400 + stigid@sle15: SLES-15-040340 + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 040228b832..394a460c51 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1092,8 +1092,10 @@ selections: + # RHEL-08-040200 + - accounts_no_uid_except_zero + +- # RHEL-08-040210 ++ # RHEL-08-040209 + - sysctl_net_ipv4_conf_default_accept_redirects ++ ++ # RHEL-08-040210 + - sysctl_net_ipv6_conf_default_accept_redirects + + # RHEL-08-040220 + +From ac28c4231415be5e58bcea6f9fdd8652c6d39c45 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 09:08:27 -0500 +Subject: [PATCH 17/20] Split RHEL-08-040240 + +--- + .../sysctl_net_ipv4_conf_all_accept_source_route/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +index b56f2891f5..f92772eb57 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +@@ -45,7 +45,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@ol7: OL07-00-040610 + stigid@rhel7: RHEL-07-040610 +- stigid@rhel8: RHEL-08-040240 ++ stigid@rhel8: RHEL-08-040239 + stigid@sle12: SLES-12-030360 + stigid@sle15: SLES-15-040300 + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 394a460c51..9cccd25963 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1104,8 +1104,10 @@ selections: + # RHEL-08-040230 + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + +- # RHEL-08-040240 ++ # RHEL-08-040239 + - sysctl_net_ipv4_conf_all_accept_source_route ++ ++ # RHEL-08-040240 + - sysctl_net_ipv6_conf_all_accept_source_route + + # RHEL-08-040250 + +From 717ed63c6ad9b69b75aee69bbf1198515011499f Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 09:11:08 -0500 +Subject: [PATCH 18/20] Split RHEL-08-040250 + +--- + .../sysctl_net_ipv4_conf_default_accept_source_route/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +index 4df2465995..b1e7f247e2 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +@@ -46,7 +46,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@ol7: OL07-00-040620 + stigid@rhel7: RHEL-07-040620 +- stigid@rhel8: RHEL-08-040250 ++ stigid@rhel8: RHEL-08-040249 + stigid@sle12: SLES-12-030370 + stigid@sle15: SLES-15-040320 + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 9cccd25963..4d1869c629 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1110,8 +1110,10 @@ selections: + # RHEL-08-040240 + - sysctl_net_ipv6_conf_all_accept_source_route + +- # RHEL-08-040250 ++ # RHEL-08-040249 + - sysctl_net_ipv4_conf_default_accept_source_route ++ ++ # RHEL-08-040250 + - sysctl_net_ipv6_conf_default_accept_source_route + + # RHEL-08-040260 + +From 9b244bc0828e2eb6ffe389d7ef590e6b967a4c07 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 4 Aug 2021 09:13:19 -0500 +Subject: [PATCH 19/20] Split RHEL-08-040280 + +--- + .../sysctl_net_ipv4_conf_all_accept_redirects/rule.yml | 2 +- + products/rhel8/profiles/stig.profile | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index d5e7fe4599..726042198e 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -44,7 +44,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@ol7: OL07-00-040641 + stigid@rhel7: RHEL-07-040641 +- stigid@rhel8: RHEL-08-040280 ++ stigid@rhel8: RHEL-08-040279 + stigid@sle12: SLES-12-030390 + stigid@sle15: SLES-15-040330 + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 4d1869c629..0a1fdd15ca 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1128,8 +1128,10 @@ selections: + # RHEL-08-040270 + - sysctl_net_ipv4_conf_default_send_redirects + +- # RHEL-08-040280 ++ # RHEL-08-040279 + - sysctl_net_ipv4_conf_all_accept_redirects ++ ++ # RHEL-08-040280 + - sysctl_net_ipv6_conf_all_accept_redirects + + # RHEL-08-040281 + +From 7723ff37c5abd8681b70ad686c5df45d7d0b44ed Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Thu, 5 Aug 2021 14:46:46 -0500 +Subject: [PATCH 20/20] Update couple of references for RHEL8 STIG + +--- + .../enable_nx/bios_enable_execution_restrictions/rule.yml | 2 +- + .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +index 99f2c739c9..2176a0bb9b 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml +@@ -32,6 +32,6 @@ references: + nist: SC-39,CM-6(a) + nist-csf: PR.IP-1 + srg: SRG-OS-000433-GPOS-00192 +- stig@rhel8: RHEL-08-010420 ++ stigid@rhel8: RHEL-08-010420 + + platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +index 726975e808..d57c0f0ce9 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +@@ -30,6 +30,7 @@ references: + cis@ubuntu1804: 1.1.6 + cis@ubuntu2004: 1.1.11 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010544 + + {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index bccc9e9..44b4bb3 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -5,7 +5,7 @@ Name: scap-security-guide Version: 0.1.57 -Release: 1%{?dist} +Release: 3%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -18,6 +18,60 @@ BuildArch: noarch # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch +Patch2: scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch +Patch3: scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch +Patch4: scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch +Patch5: scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch +Patch6: scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch +Patch7: scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch +Patch8: scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch +Patch9: scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch +Patch10: scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch +Patch11: scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch +Patch12: scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch +Patch13: scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch +Patch14: scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch +Patch15: scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch +Patch16: scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch +Patch17: scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch +Patch18: scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch +Patch19: scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch +Patch20: scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch +Patch21: scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch +Patch22: scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch +Patch23: scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch +Patch24: scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch +Patch25: scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch +Patch26: scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch +Patch27: scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch +Patch28: scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch +Patch29: scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch +Patch30: scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch +Patch31: scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch +Patch32: scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch +Patch33: scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch +Patch34: scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch +Patch35: scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch +Patch36: scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch +Patch37: scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch +Patch38: scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch +Patch39: scap-security-guide-0.1.58-update_stig_references-PR_7366.patch +Patch40: scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch +Patch41: scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch +Patch42: scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch +Patch43: scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch +Patch44: scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch +Patch45: scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch +Patch46: scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch +Patch47: scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch +Patch48: scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch +Patch49: scap-security-guide-0.1.58-ism_ks-PR_7392.patch +Patch50: scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch +Patch51: scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch +Patch52: scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch +Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch +Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch BuildRequires: libxslt BuildRequires: expat @@ -121,6 +175,20 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Mon Aug 23 2021 Gabriel Becker - 0.1.57-3 +- Fix remaining audit rules file permissions (RHBZ#1993056) +- Mark a STIG service rule as machine only (RHBZ#1993056) +- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577) + +* Fri Aug 20 2021 Marcus Burghardt - 0.1.57-2 +- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179) +- Include tests for Ansible Playbooks that remove and reintroduce files. +- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) +- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483) +- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197) +- Add Kickstart files for ISM profile (RHBZ#1955373) +- Fix broken RHEL7 documentation links (RHBZ#1966577) + * Fri Jul 30 2021 Matej Tyc - 0.1.57-1 - Update to the latest upstream release (RHBZ#1966577) - Enable the ISM profile.