rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
0fe9f1c481
scap-security-guide/SOURCES/scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch
CentOS Sources 01490d5abd import scap-security-guide-0.1.57-3.el8
2021-09-10 04:19:00 +00:00

9203 lines
984 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From c2879589d5ff715c15a9f96f22f6dac4efca0852 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 17:49:38 +0200
Subject: [PATCH 01/10] Fix create-stig-overlay.py script to extract correct
identifiers.
---
utils/create-stig-overlay.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py
index da59d4a6a46..6d7e360b31b 100755
--- a/utils/create-stig-overlay.py
+++ b/utils/create-stig-overlay.py
@@ -93,9 +93,9 @@ def new_stig_overlay(xccdftree, ssgtree, outfile):
srg = title.text
for rule in group.findall("./{%s}Rule" % xccdf_ns):
svkey_raw = rule.get("id")
- svkey = svkey_raw.strip()[3:-7]
+ svkey = svkey_raw.strip()[3:9]
severity = rule.get("severity")
- release = svkey_raw.strip()[9:-5]
+ release = svkey_raw.strip()[10:-5]
version = element_value("version", rule)
rule_title = element_value("title", rule)
ident = element_value("ident", rule).strip("CCI-").lstrip("0")
From 99d698518d522571ffbed0a21f0ef783ae01e2fd Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 17:50:26 +0200
Subject: [PATCH 02/10] Do not add rule id based on SRG mapping to STIG tables.
Revert change from
https://github.com/ComplianceAsCode/content/commit/71dc9eec3b80984cc3be43dd8d05343555213382#diff-9e0d84b6fa315174f856f178bb57199de68baefbdeb79a17971202ee8982c04fR61
as it's weird having mapped rules that do not correspond with current
STIG id description.
---
utils/create-stig-overlay.py | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py
index 6d7e360b31b..3247f7f7785 100755
--- a/utils/create-stig-overlay.py
+++ b/utils/create-stig-overlay.py
@@ -65,17 +65,6 @@ def ssg_xccdf_stigid_mapping(ssgtree):
return xccdftostig_idmapping
-def get_nested_stig_items(ssg_mapping, srg):
- mapped_id = "XXXX"
- for rhid, srgs in ssg_mapping.items():
- for xccdfid, srglist in srgs.items():
- if srg in srglist and len(srglist) > 1:
- mapped_id = xccdfid
- break
-
- return mapped_id
-
-
def getkey(elem):
return elem.get("ownerid")
@@ -106,7 +95,7 @@ def new_stig_overlay(xccdftree, ssgtree, outfile):
try:
mapped_id = ''.join(ssg_mapping[version].keys())
except KeyError as e:
- mapped_id = get_nested_stig_items(ssg_mapping, srg)
+ mapped_id = "XXXX"
overlay = ET.SubElement(new_stig_overlay, "overlay", owner=owner,
ruleid=mapped_id, ownerid=version, disa=ident,
From de85a1318e0c1c809202535ec0b17672ae7a58a0 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 17:52:57 +0200
Subject: [PATCH 03/10] Add quiet mode for create-stig-overlay.py script.
---
utils/create-stig-overlay.py | 32 +++++++++++++++++++++++---------
1 file changed, 23 insertions(+), 9 deletions(-)
diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py
index 3247f7f7785..02deb0b5b2e 100755
--- a/utils/create-stig-overlay.py
+++ b/utils/create-stig-overlay.py
@@ -69,7 +69,7 @@ def getkey(elem):
return elem.get("ownerid")
-def new_stig_overlay(xccdftree, ssgtree, outfile):
+def new_stig_overlay(xccdftree, ssgtree, outfile, quiet):
if not ssgtree:
ssg_mapping = False
else:
@@ -113,11 +113,14 @@ def new_stig_overlay(xccdftree, ssgtree, outfile):
overlay_directory = os.path.dirname(outfile)
if not os.path.exists(overlay_directory):
os.makedirs(overlay_directory)
- print("\nOverlay directory created: %s" % overlay_directory)
+ if not quiet:
+ print("\nOverlay directory created: %s" % overlay_directory)
with open(outfile, 'wb') as f:
f.write(pretty_xml_as_string)
- print("\nGenerated the new STIG overlay file: %s" % outfile)
+
+ if not quiet:
+ print("\nGenerated the new STIG overlay file: %s" % outfile)
def parse_args():
@@ -134,6 +137,9 @@ def parse_args():
action="store", dest="output_file",
help="STIG overlay XML content file \
[default: %default]")
+ parser.add_argument("-q", "--quiet", dest="quiet", default=False,
+ action="store_true", help="Do not print anything and assume yes for everything")
+
return parser.parse_args()
@@ -143,9 +149,11 @@ def main():
disa_xccdftree = ET.parse(args.disa_xccdf_filename)
if not args.ssg_xccdf_filename:
- print("WARNING: You are generating a STIG overlay XML file without mapping it "
- "to existing SSG content.")
- prompt = yes_no_prompt()
+ prompt = True
+ if not args.quiet:
+ print("WARNING: You are generating a STIG overlay XML file without mapping it "
+ "to existing SSG content.")
+ prompt = yes_no_prompt()
if not prompt:
sys.exit(0)
ssg_xccdftree = False
@@ -153,13 +161,19 @@ def main():
ssg_xccdftree = ET.parse(args.ssg_xccdf_filename)
ssg = ssg_xccdftree.find(".//{%s}publisher" % dc_ns).text
if ssg != "SCAP Security Guide Project":
- sys.exit("%s is not a valid SSG generated XCCDF file." % args.ssg_xccdf_filename)
+ if not args.quiet:
+ sys.exit("%s is not a valid SSG generated XCCDF file." % args.ssg_xccdf_filename)
+ else:
+ sys.exit(1)
disa = disa_xccdftree.find(".//{%s}source" % dc_ns).text
if disa != "STIG.DOD.MIL":
- sys.exit("%s is not a valid DISA generated manual XCCDF file." % args.disa_xccdf_filename)
+ if not args.quiet:
+ sys.exit("%s is not a valid DISA generated manual XCCDF file." % args.disa_xccdf_filename)
+ else:
+ sys.exit(2)
- new_stig_overlay(disa_xccdftree, ssg_xccdftree, args.output_file)
+ new_stig_overlay(disa_xccdftree, ssg_xccdftree, args.output_file, args.quiet)
if __name__ == "__main__":
From fc3f316cd3ccc375f9439683828a2d5829b411df Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 17:53:24 +0200
Subject: [PATCH 04/10] Generate STIG overlay files during build time.
---
cmake/SSGCommon.cmake | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 1bcd5156206..f795d5be2c2 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -1274,12 +1274,21 @@ macro(ssg_build_html_stig_tables PRODUCT)
DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-stig.xslt"
COMMENT "[${PRODUCT}-tables] generating HTML MANUAL STIG table"
)
+ add_custom_command(
+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml"
+ COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays"
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create-stig-overlay.py" --quiet --disa-xccdf="${DISA_STIG_REF}" --ssg-xccdf="${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml"
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml"
+ DEPENDS "${DISA_STIG_REF}"
+ COMMENT "[${PRODUCT}-tables] generating STIG XML overlay"
+ )
add_custom_command(
OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml"
- COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam overlay "${CMAKE_CURRENT_SOURCE_DIR}/overlays/stig_overlay.xml" --stringparam ocil-document "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/ocil-linked.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml"
+ COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam overlay "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml" --stringparam ocil-document "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/ocil-linked.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml"
DEPENDS generate-ssg-${PRODUCT}-xccdf.xml
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml"
DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt"
+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/overlays/stig_overlay.xml"
COMMENT "[${PRODUCT}-tables] generating unlinked STIG XCCDF XML file"
)
add_custom_command(
From bfcaf848a385051a4151db517d1f1d23adee7048 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 18:06:23 +0200
Subject: [PATCH 05/10] Remove stig_overlay.xml files as they are generated
during build time.
---
products/chromium/overlays/stig_overlay.xml | 151 --
products/firefox/overlays/stig_overlay.xml | 87 --
products/jre/overlays/stig_overlay.xml | 67 -
products/ol7/overlays/stig_overlay.xml | 1003 --------------
products/rhel7/overlays/stig_overlay.xml | 999 --------------
products/rhel8/overlays/stig_overlay.xml | 1375 -------------------
products/sle12/overlays/stig_overlay.xml | 811 -----------
products/sle15/overlays/stig_overlay.xml | 935 -------------
products/vsel/overlays/stig_overlay.xml | 159 ---
10 files changed, 5587 deletions(-)
delete mode 100644 products/chromium/overlays/stig_overlay.xml
delete mode 100644 products/firefox/overlays/stig_overlay.xml
delete mode 100644 products/jre/overlays/stig_overlay.xml
delete mode 100644 products/ol7/overlays/stig_overlay.xml
delete mode 100644 products/rhel7/overlays/stig_overlay.xml
delete mode 100644 products/rhel8/overlays/stig_overlay.xml
delete mode 100644 products/sle12/overlays/stig_overlay.xml
delete mode 100644 products/sle15/overlays/stig_overlay.xml
delete mode 100644 products/vsel/overlays/stig_overlay.xml
diff --git a/products/chromium/overlays/stig_overlay.xml b/products/chromium/overlays/stig_overlay.xml
deleted file mode 100644
index ce776d1c813..00000000000
--- a/products/chromium/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,151 +0,0 @@
-<?xml version="1.0"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="chromium_disable_firewall_traversal" ownerid="DTBC0001" disa="" severity="Medium">
- <VMSinfo VKey="44711" SVKey="57545" VRelease="2" />
- <title>Firewall traversal from remote host must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_block_desktop_notifications" ownerid="DTBC0003" disa="" severity="low">
- <VMSinfo VKey="44713" SVKey="57547" VRelease="4" />
- <title>Sites ability for showing desktop notifications must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_popups" ownerid="DTBC0004" disa="" severity="medium">
- <VMSinfo VKey="44719" SVKey="57553" VRelease="1" />
- <title>Sites ability to show pop-ups must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disallow_location_tracking" ownerid="DTBC0002" disa="" severity="medium">
- <VMSinfo VKey="44723" SVKey="57557" VRelease="1" />
- <title>Site tracking users location must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_blacklist_extension_installation" ownerid="DTBC0005" disa="" severity="medium">
- <VMSinfo VKey="44727" SVKey="57561" VRelease="1" />
- <title>Extensions installation must be blacklisted by default.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_extension_whitelist" ownerid="DTBC0006" disa="" severity="medium">
- <VMSinfo VKey="44729" SVKey="57563" VRelease="1" />
- <title>Extensions that are approved for use must be whitelisted.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_default_search_provider_name" ownerid="DTBC0007" disa="" severity="medium">
- <VMSinfo VKey="44733" SVKey="57567" VRelease="1" />
- <title>The default search providers name must be set.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_enable_encrypted_searching" ownerid="DTBC0008" disa="" severity="medium">
- <VMSinfo VKey="44735" SVKey="57569" VRelease="1" />
- <title>The default search provider URL must be set to perform encrypted searches.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_default_search_provider" ownerid="DTBC0009" disa="" severity="medium">
- <VMSinfo VKey="44737" SVKey="57571" VRelease="1" />
- <title>Default search provider must be enabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_cleartext_passwords" ownerid="DTBC0010" disa="" severity="medium">
- <VMSinfo VKey="44739" SVKey="57573" VRelease="1" />
- <title>Use of cleartext passwords in Password Manager must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_password_manager" ownerid="DTBC0011" disa="" severity="medium">
- <VMSinfo VKey="44741" SVKey="57575" VRelease="1" />
- <title>The Password Manager must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_http_authentication" ownerid="DTBC0012" disa="" severity="medium">
- <VMSinfo VKey="44743" SVKey="57577" VRelease="1" />
- <title>The HTTP Authentication must be set to negotiate.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_outdated_plugins" ownerid="DTBC0013" disa="" severity="high">
- <VMSinfo VKey="44745" SVKey="57579" VRelease="1" />
- <title>The running of outdated plugins must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_plugins_require_authorization" ownerid="DTBC0014" disa="" severity="high">
- <VMSinfo VKey="44749" SVKey="57583" VRelease="1" />
- <title>Plugins requiring authorization must ask for user permission.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_thirdparty_cookies" ownerid="DTBC0015" disa="" severity="low">
- <VMSinfo VKey="44751" SVKey="57585" VRelease="1" />
- <title>Third party cookes must be blocked.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_background_processing" ownerid="DTBC0017" disa="" severity="medium">
- <VMSinfo VKey="44753" SVKey="57587" VRelease="1" />
- <title>Background processing must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_3d_graphics_api" ownerid="DTBC0019" disa="" severity="medium">
- <VMSinfo VKey="44757" SVKey="57591" VRelease="1" />
- <title>3D Graphics APIs must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_google_sync" ownerid="DTBC0020" disa="" severity="medium">
- <VMSinfo VKey="44759" SVKey="57593" VRelease="1" />
- <title>Google Data Synchronization must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_protocol_schemas" ownerid="DTBC0021" disa="" severity="medium">
- <VMSinfo VKey="44761" SVKey="57595" VRelease="2" />
- <title>The URL protocol schema javascript must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_autocomplete" ownerid="DTBC0022" disa="" severity="medium">
- <VMSinfo VKey="44763" SVKey="57597" VRelease="1" />
- <title>Autofill must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_cloud_print_sharing" ownerid="DTBC0023" disa="" severity="medium">
- <VMSinfo VKey="44765" SVKey="57599" VRelease="1" />
- <title>Cloud print mush be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_network_prediction" ownerid="DTBC0025" disa="" severity="medium">
- <VMSinfo VKey="44769" SVKey="57603" VRelease="1" />
- <title>Network prediction must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_metrics_reporting" ownerid="DTBC0026" disa="" severity="medium">
- <VMSinfo VKey="44771" SVKey="57601" VRelease="1" />
- <title>Metrics reporting to Google must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_search_suggestions" ownerid="DTBC0027" disa="" severity="medium">
- <VMSinfo VKey="44773" SVKey="57607" VRelease="1" />
- <title>Search suggestions must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_saved_passwords" ownerid="DTBC0029" disa="" severity="medium">
- <VMSinfo VKey="44775" SVKey="57609" VRelease="1" />
- <title>Importing of saved passwords must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_incognito_mode" ownerid="DTBC0030" disa="" severity="medium">
- <VMSinfo VKey="44777" SVKey="57611" VRelease="1" />
- <title>Metrics reporting to Google must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_plugin_blacklist" ownerid="DTBC0034" disa="" severity="medium">
- <VMSinfo VKey="44781" SVKey="57615" VRelease="1" />
- <title>Plugins must be disabled by default.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_enable_approved_plugins" ownerid="DTBC0035" disa="" severity="medium">
- <VMSinfo VKey="44783" SVKey="57617" VRelease="2" />
- <title>Plugins approved for use must be enabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_automatic_installation" ownerid="DTBC0036" disa="" severity="medium">
- <VMSinfo VKey="44787" SVKey="57621" VRelease="1" />
- <title>Automated installation of missing plugins must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_check_cert_revocation" ownerid="DTBC0037" disa="" severity="medium">
- <VMSinfo VKey="44789" SVKey="57623" VRelease="1" />
- <title>Online revocation checks must be done.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_enable_safe_browsing" ownerid="DTBC0038" disa="" severity="medium">
- <VMSinfo VKey="44791" SVKey="57625" VRelease="1" />
- <title>Safe Browsing must be enabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_enable_browser_history" ownerid="DTBC0039" disa="" severity="medium">
- <VMSinfo VKey="44793" SVKey="57627" VRelease="1" />
- <title>Browser history must be saved.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_default_block_plugins" ownerid="DTBC0040" disa="" severity="medium">
- <VMSinfo VKey="44795" SVKey="57629" VRelease="2" />
- <title>Default behavior must block webpages from automatically running plugins.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_disable_session_cookies" ownerid="DTBC0045" disa="" severity="medium">
- <VMSinfo VKey="44799" SVKey="57633" VRelease="1" />
- <title>Session only based cookies must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="chromium_trusted_home_page" ownerid="DTBC0048" disa="" severity="medium">
- <VMSinfo VKey="44801" SVKey="57635" VRelease="2" />
- <title>The home page must be set to a trusted site.</title>
- </overlay>
- <!--overlay owner="disastig" ruleid="chromium_enable_auto_updates" ownerid="DTBC0050" disa="" severity="medium">
- <VMSinfo VKey="44805" SVKey="57639" VRelease="1" />
- <title>Browser must support auto-updates.</title>
- </overlay-->
- <overlay owner="disastig" ruleid="chromium_whitelist_plugin_urls" ownerid="DTBC0051" disa="" severity="medium">
- <VMSinfo VKey="52795" SVKey="671011" VRelease="1" />
- <title>URLs must be whitelisted for plugin use.</title>
- </overlay>
-</overlays>
diff --git a/products/firefox/overlays/stig_overlay.xml b/products/firefox/overlays/stig_overlay.xml
deleted file mode 100644
index d4f19f02d21..00000000000
--- a/products/firefox/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,87 +0,0 @@
-<?xml version="1.0"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="installed_firefox_version_supported" ownerid="DTBF003" disa="3376" severity="high">
- <VMSinfo VKey="17988" SVKey="19509" VRelease="4" />
- <title>Installed version of Firefox not supported.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-ssl_protocol_tls" ownerid="DTBF030" disa="2450" severity="medium">
- <VMSinfo VKey="15983" SVKey="16925" VRelease="8" />
- <title>Firefox must be configured to allow only TLS.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-verification" ownerid="DTBF050" disa="1274" severity="medium">
- <VMSinfo VKey="15768" SVKey="16707" VRelease="1" />
- <title>FireFox is configured to ask which certificate to present to a web site when a certificate is required.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-lock_settings_config_file" ownerid="DTBF070" disa="366" severity="medium">
- <VMSinfo VKey="19743" SVKey="21889" VRelease="9" />
- <title>Firefox required security preferences can not be changed by user.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-search_update" ownerid="DTBF085" disa="381" severity="medium">
- <VMSinfo VKey="19744" SVKey="21890" VRelease="1" />
- <title>Firefox automatically checks for updated version of installed Search plugins.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-addons_plugin_updates" ownerid="DTBF090" disa="381" severity="medium">
- <VMSinfo VKey="19742" SVKey="59603" VRelease="1" />
- <title>Firefox automatically updates installed add-ons and plugins.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-auto-download_actions" ownerid="DTBF100" disa="1242" severity="medium">
- <VMSinfo VKey="15770" SVKey="16709" VRelease="1" />
- <title>Firefox automatically executes or downloads MIME types which are not authorized for auto-download.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-shell_protocol" ownerid="DTBF105" disa="381" severity="medium">
- <VMSinfo VKey="15771" SVKey="16710" VRelease="3" />
- <title>Network shell protocol is enabled in FireFox.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-open_confirmation" ownerid="DTBF110" disa="1243" severity="medium">
- <VMSinfo VKey="15772" SVKey="16711" VRelease="4" />
- <title>Firefox is not configured to prompt a user before downloading and opening required file types.</title>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="DTBF120" disa="1170" severity="medium">
- <VMSinfo VKey="15773" SVKey="16712" VRelease="1" />
- <title>FireFox plug-in for ActiveX controls is installed.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-autofill_forms" ownerid="DTBF140" disa="381" severity="medium">
- <VMSinfo VKey="15774" SVKey="16713" VRelease="2" />
- <title>Firefox formfill assistance option is disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-autofill_passwords" ownerid="DTBF150" disa="381" severity="medium">
- <VMSinfo VKey="15775" SVKey="16714" VRelease="3" />
- <title>Firefox is configured to autofill passwords.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-password_store" ownerid="DTBF160" disa="381" severity="medium">
- <VMSinfo VKey="15776" SVKey="16715" VRelease="2" />
- <title>FireFox is configured to use a password store with or without a master password.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-pop-up_windows" ownerid="DTBF180" disa="381" severity="medium">
- <VMSinfo VKey="15778" SVKey="16717" VRelease="1" />
- <title>FireFox is not configured to block pop-up windows.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-javascript_window_resizing" ownerid="DTBF181" disa="381" severity="medium">
- <VMSinfo VKey="15779" SVKey="16718" VRelease="1" />
- <title>FireFox is configured to allow JavaScript to move or resize windows.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-javascript_window_changes" ownerid="DTBF182" disa="381" severity="medium">
- <VMSinfo VKey="15985" SVKey="16927" VRelease="1" />
- <title>Firefox is configured to allow JavaScript to raise or lower windows.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-javascript_context_menus" ownerid="DTBF183" disa="381" severity="medium">
- <VMSinfo VKey="15986" SVKey="16928" VRelease="2" />
- <title>Firefox is configured to allow JavaScript to disable or replace context menus.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-install_extensions" ownerid="DTBF186" disa="381" severity="medium">
- <VMSinfo VKey="64891" SVKey="79381" VRelease="3" />
- <title>Extensions install must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-background_data" ownerid="DTBF190" disa="381" severity="medium">
- <VMSinfo VKey="79053" SVKey="93759" VRelease="3" />
- <title>Background submission of information to Mozilla must be disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-development_tools" ownerid="DTBF195" disa="1312" severity="low">
- <VMSinfo VKey="97529" SVKey="106633" VRelease="1" />
- <title>Firefox Development Tools Must Be Disabled.</title>
- </overlay>
- <overlay owner="disastig" ruleid="firefox_preferences-dod_root_certificate" ownerid="DTBG010" disa="185" severity="medium">
- <VMSinfo VKey="6318" SVKey="33373" VRelease="5" />
- <title>The DOD Root Certificate is not installed.</title>
- </overlay>
-</overlays>
diff --git a/products/jre/overlays/stig_overlay.xml b/products/jre/overlays/stig_overlay.xml
deleted file mode 100644
index 90eaf79e27f..00000000000
--- a/products/jre/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,67 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="java_jre_deployment_config_exists" ownerid="JRE8-UX-000010" disa="366" severity="medium">
- <VMSinfo VKey="66721" SVKey="81211" VRelease="1"/>
- <title text="Oracle JRE 8 must have a deployment.config file present."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_deployment_config_properties" ownerid="JRE8-UX-000020" disa="366" severity="medium">
- <VMSinfo VKey="66909" SVKey="81399" VRelease="2"/>
- <title text="Oracle JRE 8 deployment.config file must contain proper keys and values."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_deployment_properties_exists" ownerid="JRE8-UX-000030" disa="366" severity="medium">
- <VMSinfo VKey="66911" SVKey="81401" VRelease="1"/>
- <title text="Oracle JRE 8 must have a deployment.properties file present."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_unsigned_applications" ownerid="JRE8-UX-000060" disa="366" severity="low">
- <VMSinfo VKey="66913" SVKey="81403" VRelease="1"/>
- <title text="Oracle JRE 8 must default to the most secure built-in setting."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_enable_jws_locked" ownerid="JRE8-UX-000070" disa="366" severity="medium">
- <VMSinfo VKey="66915" SVKey="81405" VRelease="1"/>
- <title text="Oracle JRE 8 must be set to allow Java Web Start (JWS) applications."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_disable_untrusted_sources_locked" ownerid="JRE8-UX-000080" disa="1695" severity="medium">
- <VMSinfo VKey="66917" SVKey="81407" VRelease="1"/>
- <title text="Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_lock_untrusted_sources_locked" ownerid="JRE8-UX-000090" disa="1695" severity="medium">
- <VMSinfo VKey="66919" SVKey="81409" VRelease="1"/>
- <title text="Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_validation_ocsp_locked" ownerid="JRE8-UX-000100" disa="185" severity="medium">
- <VMSinfo VKey="66921" SVKey="81411" VRelease="1"/>
- <title text="Oracle JRE 8 must set the option to enable online certificate validation."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_blacklist_check_locked" ownerid="JRE8-UX-000110" disa="1169" severity="medium">
- <VMSinfo VKey="66923" SVKey="81413" VRelease="1"/>
- <title text="Oracle JRE 8 must prevent the download of prohibited mobile code."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_accepted_sites_properties" ownerid="JRE8-UX-000120" disa="1774" severity="medium">
- <VMSinfo VKey="66925" SVKey="81415" VRelease="2"/>
- <title text="Oracle JRE 8 must enable the option to use an accepted sites list."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_accepted_sites_exists" ownerid="JRE8-UX-000130" disa="1774" severity="medium">
- <VMSinfo VKey="66927" SVKey="81417" VRelease="1"/>
- <title text="Oracle JRE 8 must have an exception.sites file present."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_validation_crl_locked" ownerid="JRE8-UX-000150" disa="1991" severity="medium">
- <VMSinfo VKey="66929" SVKey="81419" VRelease="1"/>
- <title text="Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_security_revocation_check_locked" ownerid="JRE8-UX-000160" disa="1991" severity="medium">
- <VMSinfo VKey="66931" SVKey="81421" VRelease="1"/>
- <title text="Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_insecure_prompt" ownerid="JRE8-UX-000170" disa="2460" severity="medium">
- <VMSinfo VKey="66933" SVKey="81423" VRelease="1"/>
- <title text="Oracle JRE 8 must prompt the user for action prior to executing mobile code."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_updated" ownerid="JRE8-UX-000180" disa="2605" severity="high">
- <VMSinfo VKey="66937" SVKey="81427" VRelease="1"/>
- <title text="The version of Oracle JRE 8 running on the system must be the most current available."/>
- </overlay>
- <overlay owner="disastig" ruleid="java_jre_clean_previous_version" ownerid="JRE8-UX-000190" disa="2617" severity="medium">
- <VMSinfo VKey="66935" SVKey="81425" VRelease="1"/>
- <title text="Oracle JRE 8 must remove previous versions when the latest version is installed."/>
- </overlay>
-</overlays>
diff --git a/products/ol7/overlays/stig_overlay.xml b/products/ol7/overlays/stig_overlay.xml
deleted file mode 100644
index 49b5d523eba..00000000000
--- a/products/ol7/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,1003 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="rpm_verify_ownership" ownerid="OL07-00-010010" disa="1496" severity="high">
- <VMSinfo VKey="221652" SVKey="221652r6469" VRelease="r646955"/>
- <title text="The Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/>
- </overlay>
- <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="OL07-00-010020" disa="1749" severity="high">
- <VMSinfo VKey="221653" SVKey="221653r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="OL07-00-010030" disa="50" severity="medium">
- <VMSinfo VKey="221654" SVKey="221654r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="OL07-00-010040" disa="48" severity="medium">
- <VMSinfo VKey="221655" SVKey="221655r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="OL07-00-010050" disa="48" severity="medium">
- <VMSinfo VKey="221656" SVKey="221656r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="OL07-00-010060" disa="58" severity="medium">
- <VMSinfo VKey="221657" SVKey="221657r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="OL07-00-010061" disa="1948" severity="medium">
- <VMSinfo VKey="221658" SVKey="221658r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="OL07-00-010062" disa="57" severity="medium">
- <VMSinfo VKey="221659" SVKey="221659r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="OL07-00-010070" disa="57" severity="medium">
- <VMSinfo VKey="221660" SVKey="221660r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="OL07-00-010081" disa="57" severity="medium">
- <VMSinfo VKey="221661" SVKey="221661r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="OL07-00-010082" disa="57" severity="medium">
- <VMSinfo VKey="221662" SVKey="221662r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="OL07-00-010100" disa="57" severity="medium">
- <VMSinfo VKey="221664" SVKey="221664r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="OL07-00-010101" disa="57" severity="medium">
- <VMSinfo VKey="221665" SVKey="221665r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="OL07-00-010110" disa="57" severity="medium">
- <VMSinfo VKey="221666" SVKey="221666r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="OL07-00-010118" disa="192" severity="medium">
- <VMSinfo VKey="221667" SVKey="221667r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="OL07-00-010119" disa="192" severity="medium">
- <VMSinfo VKey="221668" SVKey="221668r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="OL07-00-010120" disa="192" severity="medium">
- <VMSinfo VKey="221669" SVKey="221669r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="OL07-00-010130" disa="193" severity="medium">
- <VMSinfo VKey="221670" SVKey="221670r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="OL07-00-010140" disa="194" severity="medium">
- <VMSinfo VKey="221671" SVKey="221671r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="OL07-00-010150" disa="1619" severity="medium">
- <VMSinfo VKey="221672" SVKey="221672r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="OL07-00-010160" disa="195" severity="medium">
- <VMSinfo VKey="221673" SVKey="221673r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="OL07-00-010170" disa="195" severity="medium">
- <VMSinfo VKey="221674" SVKey="221674r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="OL07-00-010180" disa="195" severity="medium">
- <VMSinfo VKey="221675" SVKey="221675r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="OL07-00-010190" disa="195" severity="medium">
- <VMSinfo VKey="221676" SVKey="221676r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="OL07-00-010200" disa="196" severity="medium">
- <VMSinfo VKey="221677" SVKey="221677r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="OL07-00-010210" disa="196" severity="medium">
- <VMSinfo VKey="221678" SVKey="221678r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="OL07-00-010220" disa="196" severity="medium">
- <VMSinfo VKey="221680" SVKey="221680r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="OL07-00-010230" disa="198" severity="medium">
- <VMSinfo VKey="221681" SVKey="221681r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="OL07-00-010240" disa="198" severity="medium">
- <VMSinfo VKey="221682" SVKey="221682r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="OL07-00-010250" disa="199" severity="medium">
- <VMSinfo VKey="221683" SVKey="221683r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="OL07-00-010260" disa="199" severity="medium">
- <VMSinfo VKey="221684" SVKey="221684r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="OL07-00-010270" disa="200" severity="medium">
- <VMSinfo VKey="221685" SVKey="221685r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="OL07-00-010280" disa="205" severity="medium">
- <VMSinfo VKey="221686" SVKey="221686r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="OL07-00-010290" disa="366" severity="high">
- <VMSinfo VKey="221687" SVKey="221687r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have accounts configured with blank or null passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="OL07-00-010300" disa="766" severity="high">
- <VMSinfo VKey="221688" SVKey="221688r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="OL07-00-010310" disa="795" severity="medium">
- <VMSinfo VKey="221689" SVKey="221689r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="OL07-00-010320" disa="44" severity="medium">
- <VMSinfo VKey="221690" SVKey="221690r6037" VRelease="r603787"/>
- <title text="The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="OL07-00-010330" disa="2238" severity="medium">
- <VMSinfo VKey="221691" SVKey="221691r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="OL07-00-010340" disa="2038" severity="medium">
- <VMSinfo VKey="221692" SVKey="221692r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_restrict_privilege_elevation_to_authorized" ownerid="OL07-00-010341" disa="366" severity="medium">
- <VMSinfo VKey="237627" SVKey="237627r6469" VRelease="r646964"/>
- <title text="The Oracle Linux operating system must restrict privilege elevation to authorized personnel."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="OL07-00-010342" disa="2227" severity="medium">
- <VMSinfo VKey="237628" SVKey="237628r6469" VRelease="r646967"/>
- <title text="The Oracle Linux operating system must use the invoking user's password for privilege escalation when using &quot;sudo&quot;."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="OL07-00-010343" disa="2038" severity="medium">
- <VMSinfo VKey="237629" SVKey="237629r6469" VRelease="r646970"/>
- <title text="The Oracle Linux operating system must require re-authentication when using the &quot;sudo&quot; command."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="OL07-00-010350" disa="2038" severity="medium">
- <VMSinfo VKey="228569" SVKey="228569r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="OL07-00-010430" disa="366" severity="medium">
- <VMSinfo VKey="221693" SVKey="221693r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/>
- </overlay>
- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="OL07-00-010440" disa="366" severity="high">
- <VMSinfo VKey="221694" SVKey="221694r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="OL07-00-010450" disa="366" severity="high">
- <VMSinfo VKey="221695" SVKey="221695r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not allow an unrestricted logon to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="OL07-00-010460" disa="366" severity="medium">
- <VMSinfo VKey="221696" SVKey="221696r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not allow users to override SSH environment variables."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_host_auth" ownerid="OL07-00-010470" disa="366" severity="medium">
- <VMSinfo VKey="221697" SVKey="221697r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="OL07-00-010480" disa="213" severity="high">
- <VMSinfo VKey="221698" SVKey="221698r6032" VRelease="r603260"/>
- <title text="Oracle Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="OL07-00-010481" disa="213" severity="medium">
- <VMSinfo VKey="221699" SVKey="221699r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_password" ownerid="OL07-00-010482" disa="213" severity="high">
- <VMSinfo VKey="221700" SVKey="221700r6032" VRelease="r603260"/>
- <title text="Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="OL07-00-010490" disa="213" severity="high">
- <VMSinfo VKey="221701" SVKey="221701r6032" VRelease="r603260"/>
- <title text="Oracle Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="OL07-00-010491" disa="213" severity="high">
- <VMSinfo VKey="221702" SVKey="221702r6032" VRelease="r603260"/>
- <title text="Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_auth" ownerid="OL07-00-010500" disa="764" severity="medium">
- <VMSinfo VKey="221703" SVKey="221703r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="OL07-00-020000" disa="381" severity="high">
- <VMSinfo VKey="221704" SVKey="221704r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have the rsh-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="OL07-00-020010" disa="381" severity="high">
- <VMSinfo VKey="221705" SVKey="221705r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have the ypserv package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="OL07-00-020019" disa="1233" severity="medium">
- <VMSinfo VKey="221706" SVKey="221706r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must have a host-based intrusion detection tool installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="OL07-00-020020" disa="2235" severity="medium">
- <VMSinfo VKey="221707" SVKey="221707r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="OL07-00-020030" disa="1744" severity="medium">
- <VMSinfo VKey="221708" SVKey="221708r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="OL07-00-020040" disa="1744" severity="medium">
- <VMSinfo VKey="221709" SVKey="221709r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="OL07-00-020050" disa="1749" severity="high">
- <VMSinfo VKey="221710" SVKey="221710r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="OL07-00-020060" disa="1749" severity="high">
- <VMSinfo VKey="221711" SVKey="221711r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="OL07-00-020100" disa="1958" severity="medium">
- <VMSinfo VKey="221712" SVKey="221712r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured to disable USB mass storage."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="OL07-00-020101" disa="1958" severity="medium">
- <VMSinfo VKey="221713" SVKey="221713r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="OL07-00-020110" disa="778" severity="medium">
- <VMSinfo VKey="221714" SVKey="221714r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must disable the file system automounter unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="OL07-00-020111" disa="1958" severity="medium">
- <VMSinfo VKey="228567" SVKey="228567r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must disable the graphical user interface automounter unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="OL07-00-020200" disa="2617" severity="low">
- <VMSinfo VKey="221715" SVKey="221715r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must remove all software components after updated versions have been installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_state" ownerid="OL07-00-020210" disa="2165" severity="medium">
- <VMSinfo VKey="221716" SVKey="221716r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must enable SELinux."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="OL07-00-020220" disa="2696" severity="medium">
- <VMSinfo VKey="228570" SVKey="228570r6064" VRelease="r606409"/>
- <title text="The Oracle Linux operating system must enable the SELinux targeted policy."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="OL07-00-020230" disa="366" severity="high">
- <VMSinfo VKey="221717" SVKey="221717r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="OL07-00-020231" disa="366" severity="high">
- <VMSinfo VKey="228565" SVKey="228565r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="OL07-00-020240" disa="366" severity="medium">
- <VMSinfo VKey="221718" SVKey="221718r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
- </overlay>
- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="OL07-00-020250" disa="366" severity="high">
- <VMSinfo VKey="221719" SVKey="221719r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be a vendor supported release."/>
- </overlay>
- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="OL07-00-020260" disa="366" severity="medium">
- <VMSinfo VKey="221720" SVKey="221720r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system security patches and updates must be installed and up to date."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="OL07-00-020270" disa="366" severity="medium">
- <VMSinfo VKey="221721" SVKey="221721r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have unnecessary accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="OL07-00-020300" disa="764" severity="low">
- <VMSinfo VKey="221722" SVKey="221722r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="OL07-00-020310" disa="366" severity="high">
- <VMSinfo VKey="221723" SVKey="221723r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="OL07-00-020320" disa="366" severity="medium">
- <VMSinfo VKey="221724" SVKey="221724r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all files and directories have a valid owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="OL07-00-020330" disa="366" severity="medium">
- <VMSinfo VKey="221725" SVKey="221725r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all files and directories have a valid group owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="OL07-00-020610" disa="366" severity="medium">
- <VMSinfo VKey="221727" SVKey="221727r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="OL07-00-020620" disa="366" severity="medium">
- <VMSinfo VKey="221728" SVKey="221728r6037" VRelease="r603789"/>
- <title text="The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="OL07-00-020630" disa="366" severity="medium">
- <VMSinfo VKey="221729" SVKey="221729r6037" VRelease="r603791"/>
- <title text="The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="OL07-00-020640" disa="366" severity="medium">
- <VMSinfo VKey="221730" SVKey="221730r6037" VRelease="r603793"/>
- <title text="The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="OL07-00-020650" disa="366" severity="medium">
- <VMSinfo VKey="221731" SVKey="221731r6037" VRelease="r603795"/>
- <title text="The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="OL07-00-020660" disa="366" severity="medium">
- <VMSinfo VKey="221732" SVKey="221732r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="OL07-00-020670" disa="366" severity="medium">
- <VMSinfo VKey="221733" SVKey="221733r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="OL07-00-020680" disa="366" severity="medium">
- <VMSinfo VKey="221734" SVKey="221734r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="OL07-00-020690" disa="366" severity="medium">
- <VMSinfo VKey="221735" SVKey="221735r6037" VRelease="r603797"/>
- <title text="The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="OL07-00-020700" disa="366" severity="medium">
- <VMSinfo VKey="221736" SVKey="221736r6037" VRelease="r603799"/>
- <title text="The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="OL07-00-020710" disa="366" severity="medium">
- <VMSinfo VKey="221737" SVKey="221737r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="OL07-00-020720" disa="366" severity="medium">
- <VMSinfo VKey="221738" SVKey="221738r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="OL07-00-020730" disa="366" severity="medium">
- <VMSinfo VKey="221739" SVKey="221739r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="OL07-00-020900" disa="366" severity="medium">
- <VMSinfo VKey="221740" SVKey="221740r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="OL07-00-021000" disa="366" severity="medium">
- <VMSinfo VKey="221741" SVKey="221741r6038" VRelease="r603801"/>
- <title text="The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="OL07-00-021010" disa="366" severity="medium">
- <VMSinfo VKey="221742" SVKey="221742r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="OL07-00-021020" disa="366" severity="medium">
- <VMSinfo VKey="221743" SVKey="221743r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="OL07-00-021021" disa="366" severity="medium">
- <VMSinfo VKey="221744" SVKey="221744r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="OL07-00-021024" disa="1764" severity="low">
- <VMSinfo VKey="221747" SVKey="221747r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must mount /dev/shm with secure options."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="OL07-00-021030" disa="366" severity="medium">
- <VMSinfo VKey="221748" SVKey="221748r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="OL07-00-021031" disa="366" severity="medium">
- <VMSinfo VKey="228566" SVKey="228566r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="OL07-00-021040" disa="366" severity="medium">
- <VMSinfo VKey="221749" SVKey="221749r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="OL07-00-021100" disa="366" severity="medium">
- <VMSinfo VKey="221750" SVKey="221750r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must have cron logging implemented."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="OL07-00-021110" disa="366" severity="medium">
- <VMSinfo VKey="221751" SVKey="221751r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="OL07-00-021120" disa="366" severity="medium">
- <VMSinfo VKey="221752" SVKey="221752r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="OL07-00-021300" disa="366" severity="medium">
- <VMSinfo VKey="221753" SVKey="221753r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must disable Kernel core dumps unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_home" ownerid="OL07-00-021310" disa="366" severity="low">
- <VMSinfo VKey="221754" SVKey="221754r6038" VRelease="r603803"/>
- <title text="The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var" ownerid="OL07-00-021320" disa="366" severity="low">
- <VMSinfo VKey="221755" SVKey="221755r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a separate file system for /var."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="OL07-00-021330" disa="1849" severity="low">
- <VMSinfo VKey="221756" SVKey="221756r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a separate file system for the system audit data path large enough to hold at least one week of audit data."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="OL07-00-021340" disa="366" severity="low">
- <VMSinfo VKey="221757" SVKey="221757r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a separate file system for /tmp (or equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="OL07-00-021350" disa="2476" severity="high">
- <VMSinfo VKey="221758" SVKey="221758r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="OL07-00-021600" disa="366" severity="low">
- <VMSinfo VKey="221759" SVKey="221759r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="OL07-00-021610" disa="366" severity="low">
- <VMSinfo VKey="221760" SVKey="221760r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="OL07-00-021620" disa="366" severity="medium">
- <VMSinfo VKey="221761" SVKey="221761r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_no_removeable_media" ownerid="OL07-00-021700" disa="1813" severity="medium">
- <VMSinfo VKey="221762" SVKey="221762r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="OL07-00-021710" disa="381" severity="high">
- <VMSinfo VKey="221763" SVKey="221763r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have the telnet-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="OL07-00-030000" disa="135" severity="medium">
- <VMSinfo VKey="221764" SVKey="221764r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="OL07-00-030010" disa="139" severity="medium">
- <VMSinfo VKey="221765" SVKey="221765r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="OL07-00-030201" disa="1851" severity="medium">
- <VMSinfo VKey="221767" SVKey="221767r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="OL07-00-030210" disa="1851" severity="medium">
- <VMSinfo VKey="221768" SVKey="221768r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must take appropriate action when the remote logging buffer is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_name_format" ownerid="OL07-00-030211" disa="1851" severity="medium">
- <VMSinfo VKey="221769" SVKey="221769r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="OL07-00-030300" disa="1851" severity="medium">
- <VMSinfo VKey="221770" SVKey="221770r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="OL07-00-030310" disa="1851" severity="medium">
- <VMSinfo VKey="221771" SVKey="221771r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="OL07-00-030320" disa="1851" severity="medium">
- <VMSinfo VKey="221772" SVKey="221772r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="OL07-00-030321" disa="1851" severity="medium">
- <VMSinfo VKey="221773" SVKey="221773r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="OL07-00-030330" disa="1855" severity="medium">
- <VMSinfo VKey="221774" SVKey="221774r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_admin_space_left_action" ownerid="OL07-00-030340" disa="1855" severity="medium">
- <VMSinfo VKey="221775" SVKey="221775r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="OL07-00-030350" disa="1855" severity="medium">
- <VMSinfo VKey="221776" SVKey="221776r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="OL07-00-030360" disa="2234" severity="medium">
- <VMSinfo VKey="221777" SVKey="221777r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all executions of privileged functions."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="OL07-00-030370" disa="126" severity="medium">
- <VMSinfo VKey="221778" SVKey="221778r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the chown syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="OL07-00-030380" disa="172" severity="medium">
- <VMSinfo VKey="221779" SVKey="221779r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the fchown syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="OL07-00-030390" disa="126" severity="medium">
- <VMSinfo VKey="221780" SVKey="221780r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the lchown syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="OL07-00-030400" disa="172" severity="medium">
- <VMSinfo VKey="221781" SVKey="221781r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the fchownat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="OL07-00-030410" disa="172" severity="medium">
- <VMSinfo VKey="221782" SVKey="221782r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the chmod syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="OL07-00-030420" disa="172" severity="medium">
- <VMSinfo VKey="221783" SVKey="221783r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the fchmod syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="OL07-00-030430" disa="172" severity="medium">
- <VMSinfo VKey="221784" SVKey="221784r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the fchmodat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="OL07-00-030440" disa="172" severity="medium">
- <VMSinfo VKey="221785" SVKey="221785r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the setxattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="OL07-00-030450" disa="172" severity="medium">
- <VMSinfo VKey="221786" SVKey="221786r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the fsetxattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="OL07-00-030460" disa="172" severity="medium">
- <VMSinfo VKey="221787" SVKey="221787r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the lsetxattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="OL07-00-030470" disa="172" severity="medium">
- <VMSinfo VKey="221788" SVKey="221788r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the removexattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="OL07-00-030480" disa="172" severity="medium">
- <VMSinfo VKey="221789" SVKey="221789r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the fremovexattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="OL07-00-030490" disa="172" severity="medium">
- <VMSinfo VKey="221790" SVKey="221790r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the lremovexattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="OL07-00-030500" disa="2884" severity="medium">
- <VMSinfo VKey="221791" SVKey="221791r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the creat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="OL07-00-030510" disa="172" severity="medium">
- <VMSinfo VKey="221792" SVKey="221792r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the open syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="OL07-00-030520" disa="2884" severity="medium">
- <VMSinfo VKey="221793" SVKey="221793r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the openat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="OL07-00-030530" disa="172" severity="medium">
- <VMSinfo VKey="221794" SVKey="221794r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the open_by_handle_at syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="OL07-00-030540" disa="2884" severity="medium">
- <VMSinfo VKey="221795" SVKey="221795r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the truncate syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="OL07-00-030550" disa="172" severity="medium">
- <VMSinfo VKey="221796" SVKey="221796r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the ftruncate syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="OL07-00-030560" disa="172" severity="medium">
- <VMSinfo VKey="221797" SVKey="221797r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the semanage command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="OL07-00-030570" disa="2884" severity="medium">
- <VMSinfo VKey="221798" SVKey="221798r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the setsebool command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="OL07-00-030580" disa="2884" severity="medium">
- <VMSinfo VKey="221799" SVKey="221799r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the chcon command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="OL07-00-030590" disa="2884" severity="medium">
- <VMSinfo VKey="221800" SVKey="221800r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the setfiles command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="OL07-00-030610" disa="172" severity="medium">
- <VMSinfo VKey="221801" SVKey="221801r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all unsuccessful account access events."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="OL07-00-030620" disa="172" severity="medium">
- <VMSinfo VKey="221802" SVKey="221802r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all successful account access events."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="OL07-00-030630" disa="135" severity="medium">
- <VMSinfo VKey="221803" SVKey="221803r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the passwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="OL07-00-030640" disa="135" severity="medium">
- <VMSinfo VKey="221804" SVKey="221804r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the unix_chkpwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="OL07-00-030650" disa="135" severity="medium">
- <VMSinfo VKey="221805" SVKey="221805r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the gpasswd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="OL07-00-030660" disa="135" severity="medium">
- <VMSinfo VKey="221806" SVKey="221806r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the chage command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="OL07-00-030670" disa="135" severity="medium">
- <VMSinfo VKey="221807" SVKey="221807r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the userhelper command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="OL07-00-030680" disa="172" severity="medium">
- <VMSinfo VKey="221808" SVKey="221808r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the su command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="OL07-00-030690" disa="130" severity="medium">
- <VMSinfo VKey="221809" SVKey="221809r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the sudo command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="OL07-00-030700" disa="172" severity="medium">
- <VMSinfo VKey="221810" SVKey="221810r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="OL07-00-030710" disa="172" severity="medium">
- <VMSinfo VKey="221811" SVKey="221811r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the newgrp command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="OL07-00-030720" disa="130" severity="medium">
- <VMSinfo VKey="221812" SVKey="221812r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the chsh command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="OL07-00-030740" disa="2884" severity="medium">
- <VMSinfo VKey="221813" SVKey="221813r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the mount command and syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="OL07-00-030750" disa="135" severity="medium">
- <VMSinfo VKey="221814" SVKey="221814r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the umount command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="OL07-00-030760" disa="135" severity="medium">
- <VMSinfo VKey="221815" SVKey="221815r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the postdrop command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="OL07-00-030770" disa="135" severity="medium">
- <VMSinfo VKey="221816" SVKey="221816r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the postqueue command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="OL07-00-030780" disa="135" severity="medium">
- <VMSinfo VKey="221817" SVKey="221817r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the ssh-keysign command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="OL07-00-030800" disa="135" severity="medium">
- <VMSinfo VKey="221818" SVKey="221818r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the crontab command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="OL07-00-030810" disa="172" severity="medium">
- <VMSinfo VKey="221819" SVKey="221819r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the pam_timestamp_check command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="OL07-00-030819" disa="172" severity="medium">
- <VMSinfo VKey="221820" SVKey="221820r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the create_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="OL07-00-030820" disa="172" severity="medium">
- <VMSinfo VKey="221821" SVKey="221821r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the init_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="OL07-00-030821" disa="172" severity="medium">
- <VMSinfo VKey="221822" SVKey="221822r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the finit_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="OL07-00-030830" disa="172" severity="medium">
- <VMSinfo VKey="221823" SVKey="221823r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the delete_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="OL07-00-030840" disa="172" severity="medium">
- <VMSinfo VKey="221824" SVKey="221824r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the kmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="OL07-00-030870" disa="1405" severity="medium">
- <VMSinfo VKey="221825" SVKey="221825r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="OL07-00-030871" disa="18" severity="medium">
- <VMSinfo VKey="221826" SVKey="221826r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="OL07-00-030872" disa="18" severity="medium">
- <VMSinfo VKey="221827" SVKey="221827r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="OL07-00-030873" disa="18" severity="medium">
- <VMSinfo VKey="221828" SVKey="221828r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="OL07-00-030874" disa="18" severity="medium">
- <VMSinfo VKey="221829" SVKey="221829r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="OL07-00-030880" disa="2884" severity="medium">
- <VMSinfo VKey="221830" SVKey="221830r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the rename syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="OL07-00-030890" disa="172" severity="medium">
- <VMSinfo VKey="221831" SVKey="221831r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the renameat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="OL07-00-030900" disa="2884" severity="medium">
- <VMSinfo VKey="221832" SVKey="221832r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the rmdir syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="OL07-00-030910" disa="172" severity="medium">
- <VMSinfo VKey="221833" SVKey="221833r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the unlink syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="OL07-00-030920" disa="2884" severity="medium">
- <VMSinfo VKey="221834" SVKey="221834r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must audit all uses of the unlinkat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="OL07-00-031000" disa="366" severity="medium">
- <VMSinfo VKey="221835" SVKey="221835r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must send rsyslog output to a log aggregation server."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="OL07-00-031010" disa="366" severity="medium">
- <VMSinfo VKey="221836" SVKey="221836r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="OL07-00-032000" disa="366" severity="high">
- <VMSinfo VKey="221837" SVKey="221837r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a virus scan program."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="OL07-00-040000" disa="54" severity="low">
- <VMSinfo VKey="221838" SVKey="221838r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="OL07-00-040100" disa="2314" severity="medium">
- <VMSinfo VKey="221839" SVKey="221839r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="OL07-00-040110" disa="68" severity="medium">
- <VMSinfo VKey="221840" SVKey="221840r6038" VRelease="r603806"/>
- <title text="The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="OL07-00-040160" disa="1133" severity="medium">
- <VMSinfo VKey="221841" SVKey="221841r6469" VRelease="r646958"/>
- <title text="The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="OL07-00-040170" disa="48" severity="medium">
- <VMSinfo VKey="221842" SVKey="221842r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="OL07-00-040180" disa="1453" severity="medium">
- <VMSinfo VKey="221843" SVKey="221843r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="OL07-00-040190" disa="1453" severity="medium">
- <VMSinfo VKey="221844" SVKey="221844r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="OL07-00-040200" disa="1453" severity="medium">
- <VMSinfo VKey="221845" SVKey="221845r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="OL07-00-040201" disa="2824" severity="medium">
- <VMSinfo VKey="221846" SVKey="221846r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement virtual address space randomization."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="OL07-00-040300" disa="2422" severity="medium">
- <VMSinfo VKey="221847" SVKey="221847r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all networked systems have SSH installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="OL07-00-040310" disa="2418" severity="medium">
- <VMSinfo VKey="221848" SVKey="221848r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="OL07-00-040320" disa="1133" severity="medium">
- <VMSinfo VKey="221849" SVKey="221849r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="OL07-00-040330" disa="366" severity="medium">
- <VMSinfo VKey="221850" SVKey="221850r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="OL07-00-040340" disa="1133" severity="medium">
- <VMSinfo VKey="221851" SVKey="221851r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="OL07-00-040350" disa="366" severity="medium">
- <VMSinfo VKey="221852" SVKey="221852r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="OL07-00-040360" disa="366" severity="medium">
- <VMSinfo VKey="221853" SVKey="221853r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="OL07-00-040370" disa="366" severity="medium">
- <VMSinfo VKey="221854" SVKey="221854r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="OL07-00-040380" disa="366" severity="medium">
- <VMSinfo VKey="221855" SVKey="221855r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="OL07-00-040390" disa="197" severity="high">
- <VMSinfo VKey="221856" SVKey="221856r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="OL07-00-040400" disa="1453" severity="medium">
- <VMSinfo VKey="221857" SVKey="221857r6038" VRelease="r603809"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="OL07-00-040410" disa="366" severity="medium">
- <VMSinfo VKey="221858" SVKey="221858r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="OL07-00-040420" disa="366" severity="medium">
- <VMSinfo VKey="221859" SVKey="221859r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="OL07-00-040430" disa="1813" severity="medium">
- <VMSinfo VKey="221860" SVKey="221860r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="OL07-00-040440" disa="1813" severity="medium">
- <VMSinfo VKey="221861" SVKey="221861r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="OL07-00-040450" disa="366" severity="medium">
- <VMSinfo VKey="221862" SVKey="221862r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="OL07-00-040460" disa="366" severity="medium">
- <VMSinfo VKey="221863" SVKey="221863r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="OL07-00-040470" disa="366" severity="medium">
- <VMSinfo VKey="221864" SVKey="221864r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="OL07-00-040500" disa="2046" severity="medium">
- <VMSinfo VKey="221866" SVKey="221866r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_invalid_ratelimit" ownerid="OL07-00-040510" disa="2385" severity="medium">
- <VMSinfo VKey="221867" SVKey="221867r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="OL07-00-040520" disa="366" severity="medium">
- <VMSinfo VKey="221868" SVKey="221868r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must enable an application firewall, if available."/>
- </overlay>
- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="OL07-00-040530" disa="366" severity="low">
- <VMSinfo VKey="221869" SVKey="221869r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must display the date and time of the last successful account logon upon logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="OL07-00-040540" disa="366" severity="high">
- <VMSinfo VKey="221870" SVKey="221870r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not contain .shosts files."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="OL07-00-040550" disa="366" severity="high">
- <VMSinfo VKey="221871" SVKey="221871r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not contain shosts.equiv files."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="OL07-00-040600" disa="366" severity="low">
- <VMSinfo VKey="221872" SVKey="221872r6032" VRelease="r603260"/>
- <title text="For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="OL07-00-040610" disa="366" severity="medium">
- <VMSinfo VKey="221873" SVKey="221873r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="OL07-00-040611" disa="366" severity="medium">
- <VMSinfo VKey="221874" SVKey="221874r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="OL07-00-040612" disa="366" severity="medium">
- <VMSinfo VKey="221875" SVKey="221875r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="OL07-00-040620" disa="366" severity="medium">
- <VMSinfo VKey="221876" SVKey="221876r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="OL07-00-040630" disa="366" severity="medium">
- <VMSinfo VKey="221877" SVKey="221877r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="OL07-00-040640" disa="366" severity="medium">
- <VMSinfo VKey="221878" SVKey="221878r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="OL07-00-040641" disa="366" severity="medium">
- <VMSinfo VKey="221879" SVKey="221879r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="OL07-00-040650" disa="366" severity="medium">
- <VMSinfo VKey="221880" SVKey="221880r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="OL07-00-040660" disa="366" severity="medium">
- <VMSinfo VKey="221881" SVKey="221881r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="OL07-00-040670" disa="366" severity="medium">
- <VMSinfo VKey="221882" SVKey="221882r6032" VRelease="r603260"/>
- <title text="Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode."/>
- </overlay>
- <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="OL07-00-040680" disa="366" severity="medium">
- <VMSinfo VKey="221883" SVKey="221883r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured to prevent unrestricted mail relaying."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="OL07-00-040690" disa="366" severity="high">
- <VMSinfo VKey="221884" SVKey="221884r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="OL07-00-040700" disa="366" severity="high">
- <VMSinfo VKey="221885" SVKey="221885r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="OL07-00-040710" disa="366" severity="medium">
- <VMSinfo VKey="221886" SVKey="221886r6038" VRelease="r603812"/>
- <title text="The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="OL07-00-040711" disa="366" severity="medium">
- <VMSinfo VKey="233306" SVKey="233306r6032" VRelease="r603298"/>
- <title text="The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/>
- </overlay>
- <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="OL07-00-040720" disa="366" severity="medium">
- <VMSinfo VKey="221887" SVKey="221887r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="OL07-00-040730" disa="366" severity="medium">
- <VMSinfo VKey="221888" SVKey="221888r6469" VRelease="r646961"/>
- <title text="The Oracle Linux operating system must not have a graphical display manager installed unless approved."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="OL07-00-040740" disa="366" severity="medium">
- <VMSinfo VKey="221889" SVKey="221889r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not be performing packet forwarding unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="OL07-00-040750" disa="366" severity="medium">
- <VMSinfo VKey="221890" SVKey="221890r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/>
- </overlay>
- <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="OL07-00-040800" disa="366" severity="high">
- <VMSinfo VKey="221891" SVKey="221891r6032" VRelease="r603260"/>
- <title text="SNMP community strings on the Oracle Linux operating system must be changed from the default."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="OL07-00-040810" disa="366" severity="medium">
- <VMSinfo VKey="221892" SVKey="221892r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/>
- </overlay>
- <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="OL07-00-040820" disa="366" severity="medium">
- <VMSinfo VKey="221893" SVKey="221893r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not have unauthorized IP tunnels configured."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="OL07-00-040830" disa="366" severity="medium">
- <VMSinfo VKey="221894" SVKey="221894r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must not forward IPv6 source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="OL07-00-041001" disa="1948" severity="medium">
- <VMSinfo VKey="221895" SVKey="221895r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must have the required packages for multifactor authentication installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="OL07-00-041002" disa="1954" severity="medium">
- <VMSinfo VKey="221896" SVKey="221896r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="OL07-00-041003" disa="1948" severity="medium">
- <VMSinfo VKey="221897" SVKey="221897r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must implement certificate status checking for PKI authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="OL07-00-041010" disa="2421" severity="medium">
- <VMSinfo VKey="221898" SVKey="221898r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must be configured so that all wireless network adapters are disabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="OL07-00-910055" disa="164" severity="medium">
- <VMSinfo VKey="221899" SVKey="221899r6032" VRelease="r603260"/>
- <title text="The Oracle Linux operating system must protect audit information from unauthorized read, modification, or deletion."/>
- </overlay>
-</overlays>
diff --git a/products/rhel7/overlays/stig_overlay.xml b/products/rhel7/overlays/stig_overlay.xml
deleted file mode 100644
index 2bf837c8b3b..00000000000
--- a/products/rhel7/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,999 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="rpm_verify_ownership" ownerid="RHEL-07-010010" disa="2235" severity="high">
- <VMSinfo VKey="204392" SVKey="204392r6468" VRelease="r646841"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/>
- </overlay>
- <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high">
- <VMSinfo VKey="214799" SVKey="214799r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-07-010030" disa="48" severity="medium">
- <VMSinfo VKey="204393" SVKey="204393r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="RHEL-07-010040" disa="48" severity="medium">
- <VMSinfo VKey="204394" SVKey="204394r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-07-010050" disa="48" severity="medium">
- <VMSinfo VKey="204395" SVKey="204395r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-07-010060" disa="56" severity="medium">
- <VMSinfo VKey="204396" SVKey="204396r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="RHEL-07-010061" disa="1954" severity="medium">
- <VMSinfo VKey="204397" SVKey="204397r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="RHEL-07-010062" disa="57" severity="medium">
- <VMSinfo VKey="214937" SVKey="214937r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-07-010070" disa="57" severity="medium">
- <VMSinfo VKey="204398" SVKey="204398r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="RHEL-07-010081" disa="57" severity="medium">
- <VMSinfo VKey="204399" SVKey="204399r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="RHEL-07-010082" disa="57" severity="medium">
- <VMSinfo VKey="204400" SVKey="204400r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="RHEL-07-010100" disa="57" severity="medium">
- <VMSinfo VKey="204402" SVKey="204402r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="RHEL-07-010101" disa="57" severity="medium">
- <VMSinfo VKey="204403" SVKey="204403r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="RHEL-07-010110" disa="57" severity="medium">
- <VMSinfo VKey="204404" SVKey="204404r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010118" disa="192" severity="medium">
- <VMSinfo VKey="204405" SVKey="204405r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010119" disa="192" severity="medium">
- <VMSinfo VKey="204406" SVKey="204406r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-07-010120" disa="192" severity="medium">
- <VMSinfo VKey="204407" SVKey="204407r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-07-010130" disa="193" severity="medium">
- <VMSinfo VKey="204408" SVKey="204408r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-07-010140" disa="194" severity="medium">
- <VMSinfo VKey="204409" SVKey="204409r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-07-010150" disa="1619" severity="medium">
- <VMSinfo VKey="204410" SVKey="204410r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-07-010160" disa="195" severity="medium">
- <VMSinfo VKey="204411" SVKey="204411r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-07-010170" disa="195" severity="medium">
- <VMSinfo VKey="204412" SVKey="204412r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-07-010180" disa="195" severity="medium">
- <VMSinfo VKey="204413" SVKey="204413r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-07-010190" disa="195" severity="medium">
- <VMSinfo VKey="204414" SVKey="204414r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-07-010200" disa="196" severity="medium">
- <VMSinfo VKey="204415" SVKey="204415r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-07-010210" disa="196" severity="medium">
- <VMSinfo VKey="204416" SVKey="204416r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-07-010220" disa="196" severity="medium">
- <VMSinfo VKey="204417" SVKey="204417r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-07-010230" disa="198" severity="medium">
- <VMSinfo VKey="204418" SVKey="204418r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-07-010240" disa="198" severity="medium">
- <VMSinfo VKey="204419" SVKey="204419r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-07-010250" disa="199" severity="medium">
- <VMSinfo VKey="204420" SVKey="204420r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-07-010260" disa="199" severity="medium">
- <VMSinfo VKey="204421" SVKey="204421r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-07-010270" disa="200" severity="medium">
- <VMSinfo VKey="204422" SVKey="204422r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-07-010280" disa="205" severity="medium">
- <VMSinfo VKey="204423" SVKey="204423r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-07-010290" disa="366" severity="high">
- <VMSinfo VKey="204424" SVKey="204424r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-07-010300" disa="766" severity="high">
- <VMSinfo VKey="204425" SVKey="204425r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-07-010310" disa="795" severity="medium">
- <VMSinfo VKey="204426" SVKey="204426r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-07-010320" disa="2238" severity="medium">
- <VMSinfo VKey="204427" SVKey="204427r6038" VRelease="r603824"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-07-010330" disa="2238" severity="medium">
- <VMSinfo VKey="204428" SVKey="204428r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010340" disa="2038" severity="medium">
- <VMSinfo VKey="204429" SVKey="204429r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_restrict_privilege_elevation_to_authorized" ownerid="RHEL-07-010341" disa="366" severity="medium">
- <VMSinfo VKey="237633" SVKey="237633r6468" VRelease="r646850"/>
- <title text="The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="RHEL-07-010342" disa="2227" severity="medium">
- <VMSinfo VKey="237634" SVKey="237634r6468" VRelease="r646853"/>
- <title text="The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using &quot;sudo&quot;."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010343" disa="2038" severity="medium">
- <VMSinfo VKey="237635" SVKey="237635r6468" VRelease="r646856"/>
- <title text="The Red Hat Enterprise Linux operating system must require re-authentication when using the &quot;sudo&quot; command."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium">
- <VMSinfo VKey="204430" SVKey="204430r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-07-010430" disa="366" severity="medium">
- <VMSinfo VKey="204431" SVKey="204431r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/>
- </overlay>
- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-07-010440" disa="366" severity="high">
- <VMSinfo VKey="204432" SVKey="204432r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="RHEL-07-010450" disa="366" severity="high">
- <VMSinfo VKey="204433" SVKey="204433r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-07-010460" disa="366" severity="medium">
- <VMSinfo VKey="204434" SVKey="204434r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-07-010470" disa="366" severity="medium">
- <VMSinfo VKey="204435" SVKey="204435r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-07-010480" disa="213" severity="high">
- <VMSinfo VKey="204436" SVKey="204436r6032" VRelease="r603261"/>
- <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-07-010481" disa="213" severity="medium">
- <VMSinfo VKey="204437" SVKey="204437r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_password" ownerid="RHEL-07-010482" disa="213" severity="high">
- <VMSinfo VKey="204438" SVKey="204438r6032" VRelease="r603261"/>
- <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-07-010490" disa="213" severity="high">
- <VMSinfo VKey="204439" SVKey="204439r6032" VRelease="r603261"/>
- <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="RHEL-07-010491" disa="213" severity="high">
- <VMSinfo VKey="204440" SVKey="204440r6032" VRelease="r603261"/>
- <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-07-010500" disa="766" severity="medium">
- <VMSinfo VKey="204441" SVKey="204441r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-07-020000" disa="381" severity="high">
- <VMSinfo VKey="204442" SVKey="204442r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have the rsh-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="RHEL-07-020010" disa="381" severity="high">
- <VMSinfo VKey="204443" SVKey="204443r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have the ypserv package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="RHEL-07-020019" disa="1263" severity="medium">
- <VMSinfo VKey="214800" SVKey="214800r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2165" severity="medium">
- <VMSinfo VKey="204444" SVKey="204444r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-07-020030" disa="1744" severity="medium">
- <VMSinfo VKey="204445" SVKey="204445r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-07-020040" disa="1744" severity="medium">
- <VMSinfo VKey="204446" SVKey="204446r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-07-020050" disa="1749" severity="high">
- <VMSinfo VKey="204447" SVKey="204447r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-07-020060" disa="1749" severity="high">
- <VMSinfo VKey="204448" SVKey="204448r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="366" severity="medium">
- <VMSinfo VKey="204449" SVKey="204449r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-07-020101" disa="1958" severity="medium">
- <VMSinfo VKey="204450" SVKey="204450r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="778" severity="medium">
- <VMSinfo VKey="204451" SVKey="204451r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="366" severity="medium">
- <VMSinfo VKey="219059" SVKey="219059r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-07-020200" disa="2617" severity="low">
- <VMSinfo VKey="204452" SVKey="204452r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2165" severity="medium">
- <VMSinfo VKey="204453" SVKey="204453r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must enable SELinux."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2696" severity="medium">
- <VMSinfo VKey="204454" SVKey="204454r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-07-020230" disa="366" severity="high">
- <VMSinfo VKey="204455" SVKey="204455r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-07-020231" disa="366" severity="high">
- <VMSinfo VKey="204456" SVKey="204456r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-07-020240" disa="366" severity="medium">
- <VMSinfo VKey="204457" SVKey="204457r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
- </overlay>
- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-07-020250" disa="366" severity="high">
- <VMSinfo VKey="204458" SVKey="204458r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be a vendor supported release."/>
- </overlay>
- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-07-020260" disa="366" severity="medium">
- <VMSinfo VKey="204459" SVKey="204459r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-020270" disa="366" severity="medium">
- <VMSinfo VKey="204460" SVKey="204460r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-07-020300" disa="764" severity="low">
- <VMSinfo VKey="204461" SVKey="204461r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-07-020310" disa="366" severity="high">
- <VMSinfo VKey="204462" SVKey="204462r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-07-020320" disa="2165" severity="medium">
- <VMSinfo VKey="204463" SVKey="204463r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-07-020330" disa="2165" severity="medium">
- <VMSinfo VKey="204464" SVKey="204464r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-07-020610" disa="366" severity="medium">
- <VMSinfo VKey="204466" SVKey="204466r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-07-020620" disa="366" severity="medium">
- <VMSinfo VKey="204467" SVKey="204467r6038" VRelease="r603826"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-07-020630" disa="366" severity="medium">
- <VMSinfo VKey="204468" SVKey="204468r6038" VRelease="r603828"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="RHEL-07-020640" disa="366" severity="medium">
- <VMSinfo VKey="204469" SVKey="204469r6038" VRelease="r603830"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-07-020650" disa="366" severity="medium">
- <VMSinfo VKey="204470" SVKey="204470r6038" VRelease="r603832"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="RHEL-07-020660" disa="366" severity="medium">
- <VMSinfo VKey="204471" SVKey="204471r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="RHEL-07-020670" disa="366" severity="medium">
- <VMSinfo VKey="204472" SVKey="204472r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="RHEL-07-020680" disa="366" severity="medium">
- <VMSinfo VKey="204473" SVKey="204473r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="RHEL-07-020690" disa="366" severity="medium">
- <VMSinfo VKey="204474" SVKey="204474r6038" VRelease="r603834"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="RHEL-07-020700" disa="366" severity="medium">
- <VMSinfo VKey="204475" SVKey="204475r6038" VRelease="r603836"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-07-020710" disa="366" severity="medium">
- <VMSinfo VKey="204476" SVKey="204476r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-07-020720" disa="366" severity="medium">
- <VMSinfo VKey="204477" SVKey="204477r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-07-020730" disa="366" severity="medium">
- <VMSinfo VKey="204478" SVKey="204478r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="318" severity="medium">
- <VMSinfo VKey="204479" SVKey="204479r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-07-021000" disa="366" severity="medium">
- <VMSinfo VKey="204480" SVKey="204480r6038" VRelease="r603838"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-07-021010" disa="366" severity="medium">
- <VMSinfo VKey="204481" SVKey="204481r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-07-021020" disa="366" severity="medium">
- <VMSinfo VKey="204482" SVKey="204482r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-07-021021" disa="366" severity="medium">
- <VMSinfo VKey="204483" SVKey="204483r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-07-021024" disa="1764" severity="low">
- <VMSinfo VKey="204486" SVKey="204486r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="RHEL-07-021030" disa="366" severity="medium">
- <VMSinfo VKey="204487" SVKey="204487r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021031" disa="366" severity="medium">
- <VMSinfo VKey="228563" SVKey="228563r6064" VRelease="r606406"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1812" severity="medium">
- <VMSinfo VKey="204488" SVKey="204488r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-07-021100" disa="366" severity="medium">
- <VMSinfo VKey="204489" SVKey="204489r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must have cron logging implemented."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="RHEL-07-021110" disa="366" severity="medium">
- <VMSinfo VKey="204490" SVKey="204490r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="RHEL-07-021120" disa="366" severity="medium">
- <VMSinfo VKey="204491" SVKey="204491r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-07-021300" disa="366" severity="medium">
- <VMSinfo VKey="204492" SVKey="204492r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-07-021310" disa="366" severity="low">
- <VMSinfo VKey="204493" SVKey="204493r6038" VRelease="r603840"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-07-021320" disa="366" severity="low">
- <VMSinfo VKey="204494" SVKey="204494r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /var."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-07-021330" disa="366" severity="low">
- <VMSinfo VKey="204495" SVKey="204495r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-07-021340" disa="366" severity="low">
- <VMSinfo VKey="204496" SVKey="204496r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="RHEL-07-021350" disa="2476" severity="high">
- <VMSinfo VKey="204497" SVKey="204497r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-07-021600" disa="366" severity="low">
- <VMSinfo VKey="204498" SVKey="204498r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-07-021610" disa="366" severity="low">
- <VMSinfo VKey="204499" SVKey="204499r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="RHEL-07-021620" disa="366" severity="medium">
- <VMSinfo VKey="204500" SVKey="204500r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_no_removeable_media" ownerid="RHEL-07-021700" disa="318" severity="medium">
- <VMSinfo VKey="204501" SVKey="204501r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-07-021710" disa="381" severity="high">
- <VMSinfo VKey="204502" SVKey="204502r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="131" severity="medium">
- <VMSinfo VKey="204503" SVKey="204503r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="RHEL-07-030010" disa="139" severity="medium">
- <VMSinfo VKey="204504" SVKey="204504r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030201" disa="1851" severity="medium">
- <VMSinfo VKey="204506" SVKey="204506r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030210" disa="1851" severity="medium">
- <VMSinfo VKey="204507" SVKey="204507r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-030211" disa="1851" severity="medium">
- <VMSinfo VKey="204508" SVKey="204508r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030300" disa="1851" severity="medium">
- <VMSinfo VKey="204509" SVKey="204509r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030310" disa="1851" severity="medium">
- <VMSinfo VKey="204510" SVKey="204510r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="RHEL-07-030320" disa="1851" severity="medium">
- <VMSinfo VKey="204511" SVKey="204511r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="RHEL-07-030321" disa="1851" severity="medium">
- <VMSinfo VKey="204512" SVKey="204512r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-07-030330" disa="1855" severity="medium">
- <VMSinfo VKey="204513" SVKey="204513r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_admin_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium">
- <VMSinfo VKey="204514" SVKey="204514r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-07-030350" disa="1855" severity="medium">
- <VMSinfo VKey="204515" SVKey="204515r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="RHEL-07-030360" disa="2234" severity="medium">
- <VMSinfo VKey="204516" SVKey="204516r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="126" severity="medium">
- <VMSinfo VKey="204517" SVKey="204517r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-07-030380" disa="172" severity="medium">
- <VMSinfo VKey="204518" SVKey="204518r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="172" severity="medium">
- <VMSinfo VKey="204519" SVKey="204519r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-07-030400" disa="172" severity="medium">
- <VMSinfo VKey="204520" SVKey="204520r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-07-030410" disa="172" severity="medium">
- <VMSinfo VKey="204521" SVKey="204521r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-07-030420" disa="172" severity="medium">
- <VMSinfo VKey="204522" SVKey="204522r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-07-030430" disa="172" severity="medium">
- <VMSinfo VKey="204523" SVKey="204523r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-07-030440" disa="172" severity="medium">
- <VMSinfo VKey="204524" SVKey="204524r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-07-030450" disa="172" severity="medium">
- <VMSinfo VKey="204525" SVKey="204525r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-07-030460" disa="172" severity="medium">
- <VMSinfo VKey="204526" SVKey="204526r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-07-030470" disa="172" severity="medium">
- <VMSinfo VKey="204527" SVKey="204527r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-07-030480" disa="172" severity="medium">
- <VMSinfo VKey="204528" SVKey="204528r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-07-030490" disa="172" severity="medium">
- <VMSinfo VKey="204529" SVKey="204529r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="RHEL-07-030500" disa="2884" severity="medium">
- <VMSinfo VKey="204530" SVKey="204530r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="RHEL-07-030510" disa="2884" severity="medium">
- <VMSinfo VKey="204531" SVKey="204531r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="RHEL-07-030520" disa="2884" severity="medium">
- <VMSinfo VKey="204532" SVKey="204532r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="RHEL-07-030530" disa="2884" severity="medium">
- <VMSinfo VKey="204533" SVKey="204533r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="RHEL-07-030540" disa="2884" severity="medium">
- <VMSinfo VKey="204534" SVKey="204534r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="RHEL-07-030550" disa="2884" severity="medium">
- <VMSinfo VKey="204535" SVKey="204535r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="RHEL-07-030560" disa="2884" severity="medium">
- <VMSinfo VKey="204536" SVKey="204536r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="RHEL-07-030570" disa="2884" severity="medium">
- <VMSinfo VKey="204537" SVKey="204537r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="RHEL-07-030580" disa="2884" severity="medium">
- <VMSinfo VKey="204538" SVKey="204538r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="RHEL-07-030590" disa="2884" severity="medium">
- <VMSinfo VKey="204539" SVKey="204539r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="RHEL-07-030610" disa="2884" severity="medium">
- <VMSinfo VKey="204540" SVKey="204540r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-07-030620" disa="2884" severity="medium">
- <VMSinfo VKey="204541" SVKey="204541r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="RHEL-07-030630" disa="2884" severity="medium">
- <VMSinfo VKey="204542" SVKey="204542r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="RHEL-07-030640" disa="2884" severity="medium">
- <VMSinfo VKey="204543" SVKey="204543r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="RHEL-07-030650" disa="2884" severity="medium">
- <VMSinfo VKey="204544" SVKey="204544r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="RHEL-07-030660" disa="2884" severity="medium">
- <VMSinfo VKey="204545" SVKey="204545r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chage command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="RHEL-07-030670" disa="2884" severity="medium">
- <VMSinfo VKey="204546" SVKey="204546r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="RHEL-07-030680" disa="2884" severity="medium">
- <VMSinfo VKey="204547" SVKey="204547r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the su command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="RHEL-07-030690" disa="2884" severity="medium">
- <VMSinfo VKey="204548" SVKey="204548r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-07-030700" disa="2884" severity="medium">
- <VMSinfo VKey="204549" SVKey="204549r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="RHEL-07-030710" disa="2884" severity="medium">
- <VMSinfo VKey="204550" SVKey="204550r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="RHEL-07-030720" disa="2884" severity="medium">
- <VMSinfo VKey="204551" SVKey="204551r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="RHEL-07-030740" disa="2884" severity="medium">
- <VMSinfo VKey="204552" SVKey="204552r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="RHEL-07-030750" disa="2884" severity="medium">
- <VMSinfo VKey="204553" SVKey="204553r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the umount command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="RHEL-07-030760" disa="2884" severity="medium">
- <VMSinfo VKey="204554" SVKey="204554r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="RHEL-07-030770" disa="2884" severity="medium">
- <VMSinfo VKey="204555" SVKey="204555r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="RHEL-07-030780" disa="2884" severity="medium">
- <VMSinfo VKey="204556" SVKey="204556r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="RHEL-07-030800" disa="2884" severity="medium">
- <VMSinfo VKey="204557" SVKey="204557r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="RHEL-07-030810" disa="172" severity="medium">
- <VMSinfo VKey="204558" SVKey="204558r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium">
- <VMSinfo VKey="204559" SVKey="204559r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="RHEL-07-030820" disa="172" severity="medium">
- <VMSinfo VKey="204560" SVKey="204560r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030821" disa="172" severity="medium">
- <VMSinfo VKey="204561" SVKey="204561r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030830" disa="172" severity="medium">
- <VMSinfo VKey="204562" SVKey="204562r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium">
- <VMSinfo VKey="204563" SVKey="204563r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="2130" severity="medium">
- <VMSinfo VKey="204564" SVKey="204564r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-07-030871" disa="2130" severity="medium">
- <VMSinfo VKey="204565" SVKey="204565r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="2130" severity="medium">
- <VMSinfo VKey="204566" SVKey="204566r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-07-030873" disa="2130" severity="medium">
- <VMSinfo VKey="204567" SVKey="204567r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="2130" severity="medium">
- <VMSinfo VKey="204568" SVKey="204568r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="RHEL-07-030880" disa="2884" severity="medium">
- <VMSinfo VKey="204569" SVKey="204569r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="RHEL-07-030890" disa="2884" severity="medium">
- <VMSinfo VKey="204570" SVKey="204570r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="RHEL-07-030900" disa="2884" severity="medium">
- <VMSinfo VKey="204571" SVKey="204571r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="RHEL-07-030910" disa="2884" severity="medium">
- <VMSinfo VKey="204572" SVKey="204572r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="RHEL-07-030920" disa="2884" severity="medium">
- <VMSinfo VKey="204573" SVKey="204573r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-031000" disa="366" severity="medium">
- <VMSinfo VKey="204574" SVKey="204574r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="368" severity="medium">
- <VMSinfo VKey="204575" SVKey="204575r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="RHEL-07-032000" disa="1668" severity="high">
- <VMSinfo VKey="214801" SVKey="214801r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a virus scan program."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-07-040000" disa="54" severity="low">
- <VMSinfo VKey="204576" SVKey="204576r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-07-040100" disa="2314" severity="medium">
- <VMSinfo VKey="204577" SVKey="204577r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="RHEL-07-040110" disa="68" severity="medium">
- <VMSinfo VKey="204578" SVKey="204578r6038" VRelease="r603843"/>
- <title text="The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium">
- <VMSinfo VKey="204579" SVKey="204579r6468" VRelease="r646844"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="50" severity="medium">
- <VMSinfo VKey="204580" SVKey="204580r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="RHEL-07-040180" disa="1453" severity="medium">
- <VMSinfo VKey="204581" SVKey="204581r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="RHEL-07-040190" disa="1453" severity="medium">
- <VMSinfo VKey="204582" SVKey="204582r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="RHEL-07-040200" disa="1453" severity="medium">
- <VMSinfo VKey="204583" SVKey="204583r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-07-040201" disa="366" severity="medium">
- <VMSinfo VKey="204584" SVKey="204584r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement virtual address space randomization."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2421" severity="medium">
- <VMSinfo VKey="204585" SVKey="204585r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2420" severity="medium">
- <VMSinfo VKey="204586" SVKey="204586r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-07-040320" disa="2361" severity="medium">
- <VMSinfo VKey="204587" SVKey="204587r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="RHEL-07-040330" disa="366" severity="medium">
- <VMSinfo VKey="204588" SVKey="204588r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="RHEL-07-040340" disa="2361" severity="medium">
- <VMSinfo VKey="204589" SVKey="204589r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-07-040350" disa="366" severity="medium">
- <VMSinfo VKey="204590" SVKey="204590r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-07-040360" disa="366" severity="medium">
- <VMSinfo VKey="204591" SVKey="204591r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-040370" disa="366" severity="medium">
- <VMSinfo VKey="204592" SVKey="204592r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-07-040380" disa="366" severity="medium">
- <VMSinfo VKey="204593" SVKey="204593r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="197" severity="high">
- <VMSinfo VKey="204594" SVKey="204594r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="RHEL-07-040400" disa="1453" severity="medium">
- <VMSinfo VKey="204595" SVKey="204595r6038" VRelease="r603846"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-07-040410" disa="366" severity="medium">
- <VMSinfo VKey="204596" SVKey="204596r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-07-040420" disa="366" severity="medium">
- <VMSinfo VKey="204597" SVKey="204597r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1814" severity="medium">
- <VMSinfo VKey="204598" SVKey="204598r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="318" severity="medium">
- <VMSinfo VKey="204599" SVKey="204599r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-07-040450" disa="366" severity="medium">
- <VMSinfo VKey="204600" SVKey="204600r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="RHEL-07-040460" disa="366" severity="medium">
- <VMSinfo VKey="204601" SVKey="204601r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-07-040470" disa="366" severity="medium">
- <VMSinfo VKey="204602" SVKey="204602r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="2046" severity="medium">
- <VMSinfo VKey="204603" SVKey="204603r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-07-040520" disa="366" severity="medium">
- <VMSinfo VKey="204604" SVKey="204604r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must enable an application firewall, if available."/>
- </overlay>
- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-07-040530" disa="366" severity="low">
- <VMSinfo VKey="204605" SVKey="204605r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-07-040540" disa="366" severity="high">
- <VMSinfo VKey="204606" SVKey="204606r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not contain .shosts files."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-07-040550" disa="366" severity="high">
- <VMSinfo VKey="204607" SVKey="204607r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-07-040600" disa="366" severity="low">
- <VMSinfo VKey="204608" SVKey="204608r6032" VRelease="r603261"/>
- <title text="For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-07-040610" disa="366" severity="medium">
- <VMSinfo VKey="204609" SVKey="204609r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-07-040611" disa="366" severity="medium">
- <VMSinfo VKey="204610" SVKey="204610r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-07-040612" disa="366" severity="medium">
- <VMSinfo VKey="204611" SVKey="204611r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-07-040620" disa="366" severity="medium">
- <VMSinfo VKey="204612" SVKey="204612r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-07-040630" disa="366" severity="medium">
- <VMSinfo VKey="204613" SVKey="204613r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-07-040640" disa="366" severity="medium">
- <VMSinfo VKey="204614" SVKey="204614r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-07-040641" disa="366" severity="medium">
- <VMSinfo VKey="204615" SVKey="204615r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-07-040650" disa="366" severity="medium">
- <VMSinfo VKey="204616" SVKey="204616r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-07-040660" disa="366" severity="medium">
- <VMSinfo VKey="204617" SVKey="204617r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-07-040670" disa="366" severity="medium">
- <VMSinfo VKey="204618" SVKey="204618r6032" VRelease="r603261"/>
- <title text="Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."/>
- </overlay>
- <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-07-040680" disa="366" severity="medium">
- <VMSinfo VKey="204619" SVKey="204619r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-040690" disa="366" severity="high">
- <VMSinfo VKey="204620" SVKey="204620r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="318" severity="high">
- <VMSinfo VKey="204621" SVKey="204621r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="medium">
- <VMSinfo VKey="204622" SVKey="204622r6038" VRelease="r603849"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="RHEL-07-040711" disa="366" severity="medium">
- <VMSinfo VKey="233307" SVKey="233307r6033" VRelease="r603301"/>
- <title text="The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/>
- </overlay>
- <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-07-040720" disa="366" severity="medium">
- <VMSinfo VKey="204623" SVKey="204623r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/>
- </overlay>
- <overlay owner="disastig" ruleid="xwindows_remove_packages" ownerid="RHEL-07-040730" disa="366" severity="medium">
- <VMSinfo VKey="204624" SVKey="204624r6468" VRelease="r646847"/>
- <title text="The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium">
- <VMSinfo VKey="204625" SVKey="204625r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="RHEL-07-040750" disa="366" severity="medium">
- <VMSinfo VKey="204626" SVKey="204626r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/>
- </overlay>
- <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-07-040800" disa="366" severity="high">
- <VMSinfo VKey="204627" SVKey="204627r6032" VRelease="r603261"/>
- <title text="SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="RHEL-07-040810" disa="366" severity="medium">
- <VMSinfo VKey="204628" SVKey="204628r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/>
- </overlay>
- <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="RHEL-07-040820" disa="366" severity="medium">
- <VMSinfo VKey="204629" SVKey="204629r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-07-040830" disa="366" severity="medium">
- <VMSinfo VKey="204630" SVKey="204630r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1948" severity="medium">
- <VMSinfo VKey="204631" SVKey="204631r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1953" severity="medium">
- <VMSinfo VKey="204632" SVKey="204632r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1948" severity="medium">
- <VMSinfo VKey="204633" SVKey="204633r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-07-041010" disa="2418" severity="medium">
- <VMSinfo VKey="204634" SVKey="204634r6032" VRelease="r603261"/>
- <title text="The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-07-910055" disa="164" severity="medium">
- <VMSinfo VKey="228564" SVKey="228564r6064" VRelease="r606407"/>
- <title text="The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion."/>
- </overlay>
-</overlays>
diff --git a/products/rhel8/overlays/stig_overlay.xml b/products/rhel8/overlays/stig_overlay.xml
deleted file mode 100644
index 70b33c84493..00000000000
--- a/products/rhel8/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,1375 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-08-010000" disa="366" severity="high">
- <VMSinfo VKey="230221" SVKey="230221r6277" VRelease="r627750"/>
- <title text="RHEL 8 must be a vendor-supported release."/>
- </overlay>
- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-08-010010" disa="366" severity="medium">
- <VMSinfo VKey="230222" SVKey="230222r6277" VRelease="r627750"/>
- <title text="RHEL 8 vendor packaged system security patches and updates must be installed and up to date."/>
- </overlay>
- <overlay owner="disastig" ruleid="enable_fips_mode" ownerid="RHEL-08-010020" disa="68" severity="high">
- <VMSinfo VKey="230223" SVKey="230223r6277" VRelease="r627750"/>
- <title text="RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
- </overlay>
- <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="RHEL-08-010030" disa="1199" severity="medium">
- <VMSinfo VKey="230224" SVKey="230224r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-08-010040" disa="48" severity="medium">
- <VMSinfo VKey="230225" SVKey="230225r6277" VRelease="r627750"/>
- <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-08-010050" disa="48" severity="medium">
- <VMSinfo VKey="230226" SVKey="230226r6277" VRelease="r627750"/>
- <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-08-010060" disa="48" severity="medium">
- <VMSinfo VKey="230227" SVKey="230227r6277" VRelease="r627750"/>
- <title text="RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010070" disa="67" severity="medium">
- <VMSinfo VKey="230228" SVKey="230228r6277" VRelease="r627750"/>
- <title text="All RHEL 8 remote access methods must be monitored."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010090" disa="185" severity="medium">
- <VMSinfo VKey="230229" SVKey="230229r6277" VRelease="r627750"/>
- <title text="RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010100" disa="186" severity="medium">
- <VMSinfo VKey="230230" SVKey="230230r6277" VRelease="r627750"/>
- <title text="RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-08-010110" disa="196" severity="medium">
- <VMSinfo VKey="230231" SVKey="230231r6277" VRelease="r627750"/>
- <title text="RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010120" disa="196" severity="medium">
- <VMSinfo VKey="230232" SVKey="230232r6277" VRelease="r627750"/>
- <title text="RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_unix_rounds_password_auth" ownerid="RHEL-08-010130" disa="196" severity="medium">
- <VMSinfo VKey="230233" SVKey="230233r6277" VRelease="r627750"/>
- <title text="RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-08-010140" disa="213" severity="high">
- <VMSinfo VKey="230234" SVKey="230234r6277" VRelease="r627750"/>
- <title text="RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-08-010150" disa="213" severity="high">
- <VMSinfo VKey="230235" SVKey="230235r6277" VRelease="r627750"/>
- <title text="RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-08-010151" disa="213" severity="medium">
- <VMSinfo VKey="230236" SVKey="230236r6277" VRelease="r627750"/>
- <title text="RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-08-010160" disa="803" severity="medium">
- <VMSinfo VKey="230237" SVKey="230237r6277" VRelease="r627750"/>
- <title text="The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="kerberos_disable_no_keytab" ownerid="RHEL-08-010161" disa="803" severity="medium">
- <VMSinfo VKey="230238" SVKey="230238r6468" VRelease="r646862"/>
- <title text="RHEL 8 must prevent system daemons from using Kerberos for authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_krb5-workstation_removed" ownerid="RHEL-08-010162" disa="803" severity="medium">
- <VMSinfo VKey="230239" SVKey="230239r6468" VRelease="r646864"/>
- <title text="The krb5-workstation package must not be installed on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_rsyslog-gnutls_installed" ownerid="RHEL-08-010163" disa="803" severity="medium">
- <VMSinfo VKey="237640" SVKey="237640r6468" VRelease="r646890"/>
- <title text="The krb5-server package must not be installed on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-08-010170" disa="1084" severity="medium">
- <VMSinfo VKey="230240" SVKey="230240r6277" VRelease="r627750"/>
- <title text="RHEL 8 must use a Linux Security Module configured to enforce limits on system services."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_policycoreutils_installed" ownerid="RHEL-08-010171" disa="1084" severity="low">
- <VMSinfo VKey="230241" SVKey="230241r6277" VRelease="r627750"/>
- <title text="RHEL 8 must have policycoreutils package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_dmesg_restrict" ownerid="RHEL-08-010180" disa="1090" severity="medium">
- <VMSinfo VKey="230242" SVKey="230242r6277" VRelease="r627750"/>
- <title text="All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_sticky_bits" ownerid="RHEL-08-010190" disa="1090" severity="medium">
- <VMSinfo VKey="230243" SVKey="230243r6277" VRelease="r627750"/>
- <title text="A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-08-010200" disa="1133" severity="medium">
- <VMSinfo VKey="230244" SVKey="230244r6277" VRelease="r627750"/>
- <title text="RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_messages" ownerid="RHEL-08-010210" disa="1314" severity="medium">
- <VMSinfo VKey="230245" SVKey="230245r6277" VRelease="r627750"/>
- <title text="The RHEL 8 /var/log/messages file must have mode 0640 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_owner_var_log_messages" ownerid="RHEL-08-010220" disa="1314" severity="medium">
- <VMSinfo VKey="230246" SVKey="230246r6277" VRelease="r627750"/>
- <title text="The RHEL 8 /var/log/messages file must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupowner_var_log_messages" ownerid="RHEL-08-010230" disa="1314" severity="medium">
- <VMSinfo VKey="230247" SVKey="230247r6277" VRelease="r627750"/>
- <title text="The RHEL 8 /var/log/messages file must be group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log" ownerid="RHEL-08-010240" disa="1314" severity="medium">
- <VMSinfo VKey="230248" SVKey="230248r6277" VRelease="r627750"/>
- <title text="The RHEL 8 /var/log directory must have mode 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_owner_var_log" ownerid="RHEL-08-010250" disa="1314" severity="medium">
- <VMSinfo VKey="230249" SVKey="230249r6277" VRelease="r627750"/>
- <title text="The RHEL 8 /var/log directory must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupowner_var_log" ownerid="RHEL-08-010260" disa="1314" severity="medium">
- <VMSinfo VKey="230250" SVKey="230250r6277" VRelease="r627750"/>
- <title text="The RHEL 8 /var/log directory must be group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010290" disa="1453" severity="medium">
- <VMSinfo VKey="230251" SVKey="230251r6468" VRelease="r646866"/>
- <title text="The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010291" disa="1453" severity="medium">
- <VMSinfo VKey="230252" SVKey="230252r6468" VRelease="r646869"/>
- <title text="The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_strong_rng" ownerid="RHEL-08-010292" disa="366" severity="low">
- <VMSinfo VKey="230253" SVKey="230253r6277" VRelease="r627750"/>
- <title text="RHEL 8 must ensure the SSH server uses strong entropy."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_openssl_crypto_policy" ownerid="RHEL-08-010293" disa="1453" severity="medium">
- <VMSinfo VKey="230254" SVKey="230254r6277" VRelease="r627750"/>
- <title text="The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010294" disa="1453" severity="medium">
- <VMSinfo VKey="230255" SVKey="230255r6277" VRelease="r627750"/>
- <title text="The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010295" disa="1453" severity="medium">
- <VMSinfo VKey="230256" SVKey="230256r6277" VRelease="r627750"/>
- <title text="The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_binary_dirs" ownerid="RHEL-08-010300" disa="1499" severity="medium">
- <VMSinfo VKey="230257" SVKey="230257r6277" VRelease="r627750"/>
- <title text="RHEL 8 system commands must have mode 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_ownership_binary_dirs" ownerid="RHEL-08-010310" disa="1499" severity="medium">
- <VMSinfo VKey="230258" SVKey="230258r6277" VRelease="r627750"/>
- <title text="RHEL 8 system commands must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010320" disa="1499" severity="medium">
- <VMSinfo VKey="230259" SVKey="230259r6277" VRelease="r627750"/>
- <title text="RHEL 8 system commands must be group-owned by root or a system account."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-08-010330" disa="1499" severity="medium">
- <VMSinfo VKey="230260" SVKey="230260r6277" VRelease="r627750"/>
- <title text="RHEL 8 library files must have mode 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-08-010340" disa="1499" severity="medium">
- <VMSinfo VKey="230261" SVKey="230261r6277" VRelease="r627750"/>
- <title text="RHEL 8 library files must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-010350" disa="1499" severity="medium">
- <VMSinfo VKey="230262" SVKey="230262r6277" VRelease="r627750"/>
- <title text="RHEL 8 library files must be group-owned by root or a system account."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-08-010360" disa="1744" severity="medium">
- <VMSinfo VKey="230263" SVKey="230263r6277" VRelease="r627750"/>
- <title text="The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-08-010370" disa="1749" severity="high">
- <VMSinfo VKey="230264" SVKey="230264r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-08-010371" disa="1749" severity="high">
- <VMSinfo VKey="230265" SVKey="230265r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_kexec_load_disabled" ownerid="RHEL-08-010372" disa="1749" severity="medium">
- <VMSinfo VKey="230266" SVKey="230266r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent the loading of a new kernel for later execution."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_fs_protected_symlinks" ownerid="RHEL-08-010373" disa="2165" severity="medium">
- <VMSinfo VKey="230267" SVKey="230267r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_fs_protected_hardlinks" ownerid="RHEL-08-010374" disa="2165" severity="medium">
- <VMSinfo VKey="230268" SVKey="230268r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_dmesg_restrict" ownerid="RHEL-08-010375" disa="1090" severity="low">
- <VMSinfo VKey="230269" SVKey="230269r6277" VRelease="r627750"/>
- <title text="RHEL 8 must restrict access to the kernel message buffer."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_perf_event_paranoid" ownerid="RHEL-08-010376" disa="1090" severity="low">
- <VMSinfo VKey="230270" SVKey="230270r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent kernel profiling by unprivileged users."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-08-010380" disa="2038" severity="medium">
- <VMSinfo VKey="230271" SVKey="230271r6277" VRelease="r627750"/>
- <title text="RHEL 8 must require users to provide a password for privilege escalation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-08-010381" disa="2038" severity="medium">
- <VMSinfo VKey="230272" SVKey="230272r6277" VRelease="r627750"/>
- <title text="RHEL 8 must require users to reauthenticate for privilege escalation."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-010382" disa="366" severity="medium">
- <VMSinfo VKey="237641" SVKey="237641r6468" VRelease="r646893"/>
- <title text="RHEL 8 must restrict privilege elevation to authorized personnel."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudoers_validate_passwd" ownerid="RHEL-08-010383" disa="2227" severity="medium">
- <VMSinfo VKey="237642" SVKey="237642r6468" VRelease="r646896"/>
- <title text="RHEL 8 must use the invoking user's password for privilege escalation when using &quot;sudo&quot;."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-08-010384" disa="2038" severity="medium">
- <VMSinfo VKey="237643" SVKey="237643r6468" VRelease="r646899"/>
- <title text="RHEL 8 must require re-authentication when using the &quot;sudo&quot; command."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-08-010390" disa="1948" severity="medium">
- <VMSinfo VKey="230273" SVKey="230273r6277" VRelease="r627750"/>
- <title text="RHEL 8 must have the packages required for multifactor authentication installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_enable_smartcards" ownerid="RHEL-08-010400" disa="1948" severity="medium">
- <VMSinfo VKey="230274" SVKey="230274r6277" VRelease="r627750"/>
- <title text="RHEL 8 must implement certificate status checking for multifactor authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_opensc_installed" ownerid="RHEL-08-010410" disa="1953" severity="medium">
- <VMSinfo VKey="230275" SVKey="230275r6277" VRelease="r627750"/>
- <title text="RHEL 8 must accept Personal Identity Verification (PIV) credentials."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="RHEL-08-010420" disa="2824" severity="medium">
- <VMSinfo VKey="230276" SVKey="230276r6277" VRelease="r627750"/>
- <title text="RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_page_poison_argument" ownerid="RHEL-08-010421" disa="1084" severity="medium">
- <VMSinfo VKey="230277" SVKey="230277r6277" VRelease="r627750"/>
- <title text="RHEL 8 must clear the page allocator to prevent use-after-free attacks."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_vsyscall_argument" ownerid="RHEL-08-010422" disa="1084" severity="medium">
- <VMSinfo VKey="230278" SVKey="230278r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable virtual syscalls."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_slub_debug_argument" ownerid="RHEL-08-010423" disa="1084" severity="medium">
- <VMSinfo VKey="230279" SVKey="230279r6277" VRelease="r627750"/>
- <title text="RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-08-010430" disa="2824" severity="medium">
- <VMSinfo VKey="230280" SVKey="230280r6277" VRelease="r627750"/>
- <title text="RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution."/>
- </overlay>
- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-08-010440" disa="2617" severity="low">
- <VMSinfo VKey="230281" SVKey="230281r6277" VRelease="r627750"/>
- <title text="YUM must remove all software components after updated versions have been installed on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-08-010450" disa="2696" severity="medium">
- <VMSinfo VKey="230282" SVKey="230282r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable the SELinux targeted policy."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-08-010460" disa="366" severity="high">
- <VMSinfo VKey="230283" SVKey="230283r6277" VRelease="r627750"/>
- <title text="There must be no shosts.equiv files on the RHEL 8 operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-08-010470" disa="366" severity="high">
- <VMSinfo VKey="230284" SVKey="230284r6277" VRelease="r627750"/>
- <title text="There must be no .shosts files on the RHEL 8 operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_rngd_enabled" ownerid="RHEL-08-010471" disa="366" severity="low">
- <VMSinfo VKey="230285" SVKey="230285r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable the hardware random number generator entropy gatherer service."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-08-010480" disa="366" severity="medium">
- <VMSinfo VKey="230286" SVKey="230286r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH public host key files must have mode 0644 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-08-010490" disa="366" severity="medium">
- <VMSinfo VKey="230287" SVKey="230287r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH private host key files must have mode 0640 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-08-010500" disa="366" severity="medium">
- <VMSinfo VKey="230288" SVKey="230288r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-08-010510" disa="366" severity="medium">
- <VMSinfo VKey="230289" SVKey="230289r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-08-010520" disa="366" severity="medium">
- <VMSinfo VKey="230290" SVKey="230290r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH daemon must not allow authentication using known hosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-08-010521" disa="366" severity="medium">
- <VMSinfo VKey="230291" SVKey="230291r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH daemon must not allow unused methods of authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-08-010540" disa="366" severity="low">
- <VMSinfo VKey="230292" SVKey="230292r6277" VRelease="r627750"/>
- <title text="RHEL 8 must use a separate file system for /var."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log" ownerid="RHEL-08-010541" disa="366" severity="low">
- <VMSinfo VKey="230293" SVKey="230293r6277" VRelease="r627750"/>
- <title text="RHEL 8 must use a separate file system for /var/log."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-08-010542" disa="366" severity="low">
- <VMSinfo VKey="230294" SVKey="230294r6277" VRelease="r627750"/>
- <title text="RHEL 8 must use a separate file system for the system audit data path."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-08-010543" disa="366" severity="medium">
- <VMSinfo VKey="230295" SVKey="230295r6277" VRelease="r627750"/>
- <title text="A separate RHEL 8 filesystem must be used for the /tmp directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-08-010550" disa="770" severity="medium">
- <VMSinfo VKey="230296" SVKey="230296r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not permit direct logons to the root account using remote access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-08-010560" disa="366" severity="medium">
- <VMSinfo VKey="230297" SVKey="230297r6277" VRelease="r627750"/>
- <title text="The auditd service must be running in RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_rsyslog_enabled" ownerid="RHEL-08-010561" disa="366" severity="medium">
- <VMSinfo VKey="230298" SVKey="230298r6277" VRelease="r627750"/>
- <title text="The rsyslog service must be running in RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-08-010570" disa="366" severity="medium">
- <VMSinfo VKey="230299" SVKey="230299r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_boot_nosuid" ownerid="RHEL-08-010571" disa="366" severity="medium">
- <VMSinfo VKey="230300" SVKey="230300r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nodev_nonroot_local_partitions" ownerid="RHEL-08-010580" disa="366" severity="medium">
- <VMSinfo VKey="230301" SVKey="230301r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent special devices on non-root local partitions."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-010590" disa="366" severity="medium">
- <VMSinfo VKey="230302" SVKey="230302r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent code from being executed on file systems that contain user home directories."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nodev_removable_partitions" ownerid="RHEL-08-010600" disa="366" severity="medium">
- <VMSinfo VKey="230303" SVKey="230303r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent special devices on file systems that are used with removable media."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_noexec_removable_partitions" ownerid="RHEL-08-010610" disa="366" severity="medium">
- <VMSinfo VKey="230304" SVKey="230304r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent code from being executed on file systems that are used with removable media."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-08-010620" disa="366" severity="medium">
- <VMSinfo VKey="230305" SVKey="230305r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-08-010630" disa="366" severity="medium">
- <VMSinfo VKey="230306" SVKey="230306r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nodev_remote_filesystems" ownerid="RHEL-08-010640" disa="366" severity="medium">
- <VMSinfo VKey="230307" SVKey="230307r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-08-010650" disa="366" severity="medium">
- <VMSinfo VKey="230308" SVKey="230308r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-08-010660" disa="366" severity="medium">
- <VMSinfo VKey="230309" SVKey="230309r6277" VRelease="r627750"/>
- <title text="Local RHEL 8 initialization files must not execute world-writable programs."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-08-010670" disa="366" severity="medium">
- <VMSinfo VKey="230310" SVKey="230310r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable kernel dumps unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_core_pattern" ownerid="RHEL-08-010671" disa="366" severity="medium">
- <VMSinfo VKey="230311" SVKey="230311r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the kernel.core_pattern."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_systemd-coredump_disabled" ownerid="RHEL-08-010672" disa="366" severity="medium">
- <VMSinfo VKey="230312" SVKey="230312r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable acquiring, saving, and processing core dumps."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_users_coredumps" ownerid="RHEL-08-010673" disa="366" severity="medium">
- <VMSinfo VKey="230313" SVKey="230313r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable core dumps for all users."/>
- </overlay>
- <overlay owner="disastig" ruleid="coredump_disable_storage" ownerid="RHEL-08-010674" disa="366" severity="medium">
- <VMSinfo VKey="230314" SVKey="230314r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable storing core dumps."/>
- </overlay>
- <overlay owner="disastig" ruleid="coredump_disable_backtraces" ownerid="RHEL-08-010675" disa="366" severity="medium">
- <VMSinfo VKey="230315" SVKey="230315r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable core dump backtraces."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-08-010680" disa="366" severity="medium">
- <VMSinfo VKey="230316" SVKey="230316r6277" VRelease="r627750"/>
- <title text="For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-08-010690" disa="366" severity="medium">
- <VMSinfo VKey="230317" SVKey="230317r6277" VRelease="r627750"/>
- <title text="Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_root_owned" ownerid="RHEL-08-010700" disa="366" severity="medium">
- <VMSinfo VKey="230318" SVKey="230318r6277" VRelease="r627750"/>
- <title text="All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-010710" disa="366" severity="medium">
- <VMSinfo VKey="230319" SVKey="230319r6277" VRelease="r627750"/>
- <title text="All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_defined" ownerid="RHEL-08-010720" disa="366" severity="medium">
- <VMSinfo VKey="230320" SVKey="230320r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-08-010730" disa="366" severity="medium">
- <VMSinfo VKey="230321" SVKey="230321r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local interactive user home directories must have mode 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-08-010740" disa="366" severity="medium">
- <VMSinfo VKey="230322" SVKey="230322r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local interactive user home directories must be group-owned by the home directory owners primary group."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-08-010750" disa="366" severity="medium">
- <VMSinfo VKey="230323" SVKey="230323r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-08-010760" disa="366" severity="medium">
- <VMSinfo VKey="230324" SVKey="230324r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-08-010770" disa="366" severity="medium">
- <VMSinfo VKey="230325" SVKey="230325r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local initialization files must have mode 0740 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-08-010780" disa="366" severity="medium">
- <VMSinfo VKey="230326" SVKey="230326r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local files and directories must have a valid owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-08-010790" disa="366" severity="medium">
- <VMSinfo VKey="230327" SVKey="230327r6277" VRelease="r627750"/>
- <title text="All RHEL 8 local files and directories must have a valid group owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-08-010800" disa="366" severity="medium">
- <VMSinfo VKey="230328" SVKey="230328r6277" VRelease="r627750"/>
- <title text="A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-08-010820" disa="366" severity="high">
- <VMSinfo VKey="230329" SVKey="230329r6277" VRelease="r627750"/>
- <title text="Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-08-010830" disa="366" severity="medium">
- <VMSinfo VKey="230330" SVKey="230330r6468" VRelease="r646870"/>
- <title text="RHEL 8 must not allow users to override SSH environment variables."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="RHEL-08-020000" disa="16" severity="medium">
- <VMSinfo VKey="230331" SVKey="230331r6277" VRelease="r627750"/>
- <title text="RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020010" disa="44" severity="medium">
- <VMSinfo VKey="230332" SVKey="230332r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020011" disa="44" severity="medium">
- <VMSinfo VKey="230333" SVKey="230333r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-08-020012" disa="44" severity="medium">
- <VMSinfo VKey="230334" SVKey="230334r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020013" disa="44" severity="medium">
- <VMSinfo VKey="230335" SVKey="230335r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-08-020014" disa="44" severity="medium">
- <VMSinfo VKey="230336" SVKey="230336r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020015" disa="44" severity="medium">
- <VMSinfo VKey="230337" SVKey="230337r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020016" disa="44" severity="medium">
- <VMSinfo VKey="230338" SVKey="230338r6277" VRelease="r627750"/>
- <title text="RHEL 8 must ensure account lockouts persist."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020017" disa="44" severity="medium">
- <VMSinfo VKey="230339" SVKey="230339r6277" VRelease="r627750"/>
- <title text="RHEL 8 must ensure account lockouts persist."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020018" disa="44" severity="medium">
- <VMSinfo VKey="230340" SVKey="230340r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020019" disa="44" severity="medium">
- <VMSinfo VKey="230341" SVKey="230341r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020020" disa="44" severity="medium">
- <VMSinfo VKey="230342" SVKey="230342r6468" VRelease="r646872"/>
- <title text="RHEL 8 must log user name information when unsuccessful logon attempts occur."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020021" disa="44" severity="medium">
- <VMSinfo VKey="230343" SVKey="230343r6277" VRelease="r627750"/>
- <title text="RHEL 8 must log user name information when unsuccessful logon attempts occur."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-08-020022" disa="44" severity="medium">
- <VMSinfo VKey="230344" SVKey="230344r6468" VRelease="r646874"/>
- <title text="RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-08-020023" disa="44" severity="medium">
- <VMSinfo VKey="230345" SVKey="230345r6277" VRelease="r627750"/>
- <title text="RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-08-020024" disa="54" severity="low">
- <VMSinfo VKey="230346" SVKey="230346r6277" VRelease="r627750"/>
- <title text="RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-08-020030" disa="56" severity="medium">
- <VMSinfo VKey="230347" SVKey="230347r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_tmux_lock_command" ownerid="RHEL-08-020040" disa="56" severity="medium">
- <VMSinfo VKey="230348" SVKey="230348r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_bashrc_exec_tmux" ownerid="RHEL-08-020041" disa="56" severity="medium">
- <VMSinfo VKey="230349" SVKey="230349r6277" VRelease="r627750"/>
- <title text="RHEL 8 must ensure session control is automatically started at shell initialization."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_tmux_in_shells" ownerid="RHEL-08-020042" disa="56" severity="low">
- <VMSinfo VKey="230350" SVKey="230350r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent users from disabling session control mechanisms."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_lock_screen_on_smartcard_removal" ownerid="RHEL-08-020050" disa="56" severity="medium">
- <VMSinfo VKey="230351" SVKey="230351r6277" VRelease="r627750"/>
- <title text="RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-08-020060" disa="57" severity="medium">
- <VMSinfo VKey="230352" SVKey="230352r6468" VRelease="r646876"/>
- <title text="RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_tmux_lock_after_time" ownerid="RHEL-08-020070" disa="57" severity="medium">
- <VMSinfo VKey="230353" SVKey="230353r6277" VRelease="r627750"/>
- <title text="RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020080" disa="57" severity="medium">
- <VMSinfo VKey="230354" SVKey="230354r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent a user from overriding graphical user interface settings."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020090" disa="187" severity="medium">
- <VMSinfo VKey="230355" SVKey="230355r6277" VRelease="r627750"/>
- <title text="RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-08-020100" disa="192" severity="medium">
- <VMSinfo VKey="230356" SVKey="230356r6277" VRelease="r627750"/>
- <title text="RHEL 8 must ensure a password complexity module is enabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-08-020110" disa="192" severity="medium">
- <VMSinfo VKey="230357" SVKey="230357r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-08-020120" disa="193" severity="medium">
- <VMSinfo VKey="230358" SVKey="230358r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-08-020130" disa="194" severity="medium">
- <VMSinfo VKey="230359" SVKey="230359r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enforce password complexity by requiring that at least one numeric character be used."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-08-020140" disa="195" severity="medium">
- <VMSinfo VKey="230360" SVKey="230360r6277" VRelease="r627750"/>
- <title text="RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-08-020150" disa="195" severity="medium">
- <VMSinfo VKey="230361" SVKey="230361r6277" VRelease="r627750"/>
- <title text="RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-08-020160" disa="195" severity="medium">
- <VMSinfo VKey="230362" SVKey="230362r6277" VRelease="r627750"/>
- <title text="RHEL 8 must require the change of at least four character classes when passwords are changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-08-020170" disa="195" severity="medium">
- <VMSinfo VKey="230363" SVKey="230363r6277" VRelease="r627750"/>
- <title text="RHEL 8 must require the change of at least 8 characters when passwords are changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-08-020180" disa="198" severity="medium">
- <VMSinfo VKey="230364" SVKey="230364r6277" VRelease="r627750"/>
- <title text="RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-08-020190" disa="198" severity="medium">
- <VMSinfo VKey="230365" SVKey="230365r6277" VRelease="r627750"/>
- <title text="RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-08-020200" disa="199" severity="medium">
- <VMSinfo VKey="230366" SVKey="230366r6468" VRelease="r646878"/>
- <title text="RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-08-020210" disa="199" severity="medium">
- <VMSinfo VKey="230367" SVKey="230367r6277" VRelease="r627750"/>
- <title text="RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-08-020220" disa="200" severity="medium">
- <VMSinfo VKey="230368" SVKey="230368r6277" VRelease="r627750"/>
- <title text="RHEL 8 passwords must be prohibited from reuse for a minimum of five generations."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-08-020230" disa="205" severity="medium">
- <VMSinfo VKey="230369" SVKey="230369r6277" VRelease="r627750"/>
- <title text="RHEL 8 passwords must have a minimum of 15 characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_minlen_login_defs" ownerid="RHEL-08-020231" disa="205" severity="medium">
- <VMSinfo VKey="230370" SVKey="230370r6277" VRelease="r627750"/>
- <title text="RHEL 8 passwords for new users must have a minimum of 15 characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-020240" disa="764" severity="medium">
- <VMSinfo VKey="230371" SVKey="230371r6277" VRelease="r627750"/>
- <title text="RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_enable_smartcards" ownerid="RHEL-08-020250" disa="765" severity="medium">
- <VMSinfo VKey="230372" SVKey="230372r6277" VRelease="r627750"/>
- <title text="RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-08-020260" disa="795" severity="medium">
- <VMSinfo VKey="230373" SVKey="230373r6277" VRelease="r627750"/>
- <title text="RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="RHEL-08-020270" disa="1682" severity="medium">
- <VMSinfo VKey="230374" SVKey="230374r6277" VRelease="r627750"/>
- <title text="RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-08-020280" disa="1619" severity="medium">
- <VMSinfo VKey="230375" SVKey="230375r6277" VRelease="r627750"/>
- <title text="All RHEL 8 passwords must contain at least one special character."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_offline_cred_expiration" ownerid="RHEL-08-020290" disa="2007" severity="medium">
- <VMSinfo VKey="230376" SVKey="230376r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prohibit the use of cached authentications after one day."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-08-020300" disa="366" severity="medium">
- <VMSinfo VKey="230377" SVKey="230377r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent the use of dictionary words for passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-08-020310" disa="366" severity="medium">
- <VMSinfo VKey="230378" SVKey="230378r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-020320" disa="366" severity="medium">
- <VMSinfo VKey="230379" SVKey="230379r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not have unnecessary accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-08-020330" disa="366" severity="high">
- <VMSinfo VKey="230380" SVKey="230380r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not have accounts configured with blank or null passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-08-020340" disa="366" severity="low">
- <VMSinfo VKey="230381" SVKey="230381r6277" VRelease="r627750"/>
- <title text="RHEL 8 must display the date and time of the last successful account logon upon logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-08-020350" disa="366" severity="medium">
- <VMSinfo VKey="230382" SVKey="230382r6277" VRelease="r627750"/>
- <title text="RHEL 8 must display the date and time of the last successful account logon upon an SSH logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-08-020351" disa="366" severity="medium">
- <VMSinfo VKey="230383" SVKey="230383r6277" VRelease="r627750"/>
- <title text="RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-08-020352" disa="366" severity="medium">
- <VMSinfo VKey="230384" SVKey="230384r6277" VRelease="r627750"/>
- <title text="RHEL 8 must set the umask value to 077 for all local interactive user accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_etc_bashrc" ownerid="RHEL-08-020353" disa="366" severity="medium">
- <VMSinfo VKey="230385" SVKey="230385r6277" VRelease="r627750"/>
- <title text="RHEL 8 must define default permissions for logon and non-logon shells."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030000" disa="2233" severity="medium">
- <VMSinfo VKey="230386" SVKey="230386r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-08-030010" disa="366" severity="medium">
- <VMSinfo VKey="230387" SVKey="230387r6277" VRelease="r627750"/>
- <title text="Cron logging must be implemented in RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-08-030020" disa="139" severity="medium">
- <VMSinfo VKey="230388" SVKey="230388r6277" VRelease="r627750"/>
- <title text="The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event."/>
- </overlay>
- <overlay owner="disastig" ruleid="postfix_client_configure_mail_alias" ownerid="RHEL-08-030030" disa="139" severity="medium">
- <VMSinfo VKey="230389" SVKey="230389r6277" VRelease="r627750"/>
- <title text="The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_disk_error_action" ownerid="RHEL-08-030040" disa="140" severity="medium">
- <VMSinfo VKey="230390" SVKey="230390r6277" VRelease="r627750"/>
- <title text="The RHEL 8 System must take appropriate action when an audit processing failure occurs."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_max_log_file_action" ownerid="RHEL-08-030050" disa="140" severity="medium">
- <VMSinfo VKey="230391" SVKey="230391r6277" VRelease="r627750"/>
- <title text="The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_disk_full_action" ownerid="RHEL-08-030060" disa="140" severity="medium">
- <VMSinfo VKey="230392" SVKey="230392r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must take appropriate action when the audit storage volume is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030061" disa="366" severity="medium">
- <VMSinfo VKey="230393" SVKey="230393r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must audit local events."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_name_format" ownerid="RHEL-08-030062" disa="1851" severity="medium">
- <VMSinfo VKey="230394" SVKey="230394r6277" VRelease="r627750"/>
- <title text="RHEL 8 must label all off-loaded audit logs before sending them to the central log server."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_log_format" ownerid="RHEL-08-030063" disa="366" severity="low">
- <VMSinfo VKey="230395" SVKey="230395r6277" VRelease="r627750"/>
- <title text="RHEL 8 must resolve audit information before writing to disk."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030070" disa="162" severity="medium">
- <VMSinfo VKey="230396" SVKey="230396r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="RHEL-08-030080" disa="162" severity="medium">
- <VMSinfo VKey="230397" SVKey="230397r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit logs must be owned by root to prevent unauthorized read access."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030090" disa="162" severity="medium">
- <VMSinfo VKey="230398" SVKey="230398r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030100" disa="162" severity="medium">
- <VMSinfo VKey="230399" SVKey="230399r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit log directory must be owned by root to prevent unauthorized read access."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-08-030110" disa="162" severity="medium">
- <VMSinfo VKey="230400" SVKey="230400r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access."/>
- </overlay>
- <overlay owner="disastig" ruleid="directory_permissions_var_log_audit" ownerid="RHEL-08-030120" disa="162" severity="medium">
- <VMSinfo VKey="230401" SVKey="230401r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_immutable" ownerid="RHEL-08-030121" disa="162" severity="medium">
- <VMSinfo VKey="230402" SVKey="230402r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit system must protect auditing rules from unauthorized change."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_immutable_login_uids" ownerid="RHEL-08-030122" disa="162" severity="medium">
- <VMSinfo VKey="230403" SVKey="230403r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit system must protect logon UIDs from unauthorized change."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-08-030130" disa="169" severity="medium">
- <VMSinfo VKey="230404" SVKey="230404r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-08-030140" disa="169" severity="medium">
- <VMSinfo VKey="230405" SVKey="230405r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-08-030150" disa="169" severity="medium">
- <VMSinfo VKey="230406" SVKey="230406r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-08-030160" disa="169" severity="medium">
- <VMSinfo VKey="230407" SVKey="230407r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-08-030170" disa="169" severity="medium">
- <VMSinfo VKey="230408" SVKey="230408r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030171" disa="169" severity="medium">
- <VMSinfo VKey="230409" SVKey="230409r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-08-030172" disa="169" severity="medium">
- <VMSinfo VKey="230410" SVKey="230410r6277" VRelease="r627750"/>
- <title text="RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_audit_installed" ownerid="RHEL-08-030180" disa="169" severity="medium">
- <VMSinfo VKey="230411" SVKey="230411r6468" VRelease="r646881"/>
- <title text="RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030190" disa="169" severity="medium">
- <VMSinfo VKey="230412" SVKey="230412r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030200" disa="169" severity="medium">
- <VMSinfo VKey="230413" SVKey="230413r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030210" disa="169" severity="medium">
- <VMSinfo VKey="230414" SVKey="230414r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit any usage of the removexattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030220" disa="169" severity="medium">
- <VMSinfo VKey="230415" SVKey="230415r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030230" disa="169" severity="medium">
- <VMSinfo VKey="230416" SVKey="230416r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030240" disa="169" severity="medium">
- <VMSinfo VKey="230417" SVKey="230417r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030250" disa="169" severity="medium">
- <VMSinfo VKey="230418" SVKey="230418r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030260" disa="169" severity="medium">
- <VMSinfo VKey="230419" SVKey="230419r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030270" disa="169" severity="medium">
- <VMSinfo VKey="230420" SVKey="230420r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit system must be configured to audit any usage of the setxattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030280" disa="169" severity="medium">
- <VMSinfo VKey="230421" SVKey="230421r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030290" disa="169" severity="medium">
- <VMSinfo VKey="230422" SVKey="230422r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030300" disa="169" severity="medium">
- <VMSinfo VKey="230423" SVKey="230423r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030301" disa="169" severity="medium">
- <VMSinfo VKey="230424" SVKey="230424r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030302" disa="169" severity="medium">
- <VMSinfo VKey="230425" SVKey="230425r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030310" disa="169" severity="medium">
- <VMSinfo VKey="230426" SVKey="230426r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030311" disa="169" severity="medium">
- <VMSinfo VKey="230427" SVKey="230427r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030312" disa="169" severity="medium">
- <VMSinfo VKey="230428" SVKey="230428r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030313" disa="169" severity="medium">
- <VMSinfo VKey="230429" SVKey="230429r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030314" disa="169" severity="medium">
- <VMSinfo VKey="230430" SVKey="230430r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030315" disa="169" severity="medium">
- <VMSinfo VKey="230431" SVKey="230431r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030316" disa="169" severity="medium">
- <VMSinfo VKey="230432" SVKey="230432r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030317" disa="169" severity="medium">
- <VMSinfo VKey="230433" SVKey="230433r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030320" disa="169" severity="medium">
- <VMSinfo VKey="230434" SVKey="230434r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030330" disa="169" severity="medium">
- <VMSinfo VKey="230435" SVKey="230435r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030340" disa="169" severity="medium">
- <VMSinfo VKey="230436" SVKey="230436r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030350" disa="169" severity="medium">
- <VMSinfo VKey="230437" SVKey="230437r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030360" disa="169" severity="medium">
- <VMSinfo VKey="230438" SVKey="230438r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030361" disa="169" severity="medium">
- <VMSinfo VKey="230439" SVKey="230439r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030362" disa="169" severity="medium">
- <VMSinfo VKey="230440" SVKey="230440r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030363" disa="169" severity="medium">
- <VMSinfo VKey="230441" SVKey="230441r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030364" disa="169" severity="medium">
- <VMSinfo VKey="230442" SVKey="230442r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030365" disa="169" severity="medium">
- <VMSinfo VKey="230443" SVKey="230443r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030370" disa="169" severity="medium">
- <VMSinfo VKey="230444" SVKey="230444r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030380" disa="169" severity="medium">
- <VMSinfo VKey="230445" SVKey="230445r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030390" disa="169" severity="medium">
- <VMSinfo VKey="230446" SVKey="230446r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030400" disa="169" severity="medium">
- <VMSinfo VKey="230447" SVKey="230447r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030410" disa="169" severity="medium">
- <VMSinfo VKey="230448" SVKey="230448r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030420" disa="169" severity="medium">
- <VMSinfo VKey="230449" SVKey="230449r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030430" disa="169" severity="medium">
- <VMSinfo VKey="230450" SVKey="230450r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030440" disa="169" severity="medium">
- <VMSinfo VKey="230451" SVKey="230451r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030450" disa="169" severity="medium">
- <VMSinfo VKey="230452" SVKey="230452r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030460" disa="169" severity="medium">
- <VMSinfo VKey="230453" SVKey="230453r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030470" disa="169" severity="medium">
- <VMSinfo VKey="230454" SVKey="230454r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030480" disa="169" severity="medium">
- <VMSinfo VKey="230455" SVKey="230455r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030490" disa="169" severity="medium">
- <VMSinfo VKey="230456" SVKey="230456r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030500" disa="169" severity="medium">
- <VMSinfo VKey="230457" SVKey="230457r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030510" disa="169" severity="medium">
- <VMSinfo VKey="230458" SVKey="230458r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030520" disa="169" severity="medium">
- <VMSinfo VKey="230459" SVKey="230459r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030530" disa="169" severity="medium">
- <VMSinfo VKey="230460" SVKey="230460r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030540" disa="169" severity="medium">
- <VMSinfo VKey="230461" SVKey="230461r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030550" disa="169" severity="medium">
- <VMSinfo VKey="230462" SVKey="230462r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030560" disa="169" severity="medium">
- <VMSinfo VKey="230463" SVKey="230463r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030570" disa="169" severity="medium">
- <VMSinfo VKey="230464" SVKey="230464r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030580" disa="169" severity="medium">
- <VMSinfo VKey="230465" SVKey="230465r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_local_events" ownerid="RHEL-08-030590" disa="169" severity="medium">
- <VMSinfo VKey="230466" SVKey="230466r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-08-030600" disa="169" severity="medium">
- <VMSinfo VKey="230467" SVKey="230467r6277" VRelease="r627750"/>
- <title text="Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_audit_argument" ownerid="RHEL-08-030601" disa="169" severity="low">
- <VMSinfo VKey="230468" SVKey="230468r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable auditing of processes that start prior to the audit daemon."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_audit_backlog_limit_argument" ownerid="RHEL-08-030602" disa="1849" severity="low">
- <VMSinfo VKey="230469" SVKey="230469r6277" VRelease="r627750"/>
- <title text="RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_usbguard_auditbackend" ownerid="RHEL-08-030603" disa="169" severity="low">
- <VMSinfo VKey="230470" SVKey="230470r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable Linux audit logging for the USBGuard daemon."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030610" disa="171" severity="medium">
- <VMSinfo VKey="230471" SVKey="230471r6277" VRelease="r627750"/>
- <title text="RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030620" disa="1493" severity="medium">
- <VMSinfo VKey="230472" SVKey="230472r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit tools must have a mode of 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030630" disa="1493" severity="medium">
- <VMSinfo VKey="230473" SVKey="230473r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit tools must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030640" disa="1493" severity="medium">
- <VMSinfo VKey="230474" SVKey="230474r6277" VRelease="r627750"/>
- <title text="RHEL 8 audit tools must be group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-030650" disa="1496" severity="medium">
- <VMSinfo VKey="230475" SVKey="230475r6277" VRelease="r627750"/>
- <title text="RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_audit_backlog_limit_argument" ownerid="RHEL-08-030660" disa="1849" severity="medium">
- <VMSinfo VKey="230476" SVKey="230476r6277" VRelease="r627750"/>
- <title text="RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_rsyslog_installed" ownerid="RHEL-08-030670" disa="366" severity="medium">
- <VMSinfo VKey="230477" SVKey="230477r6277" VRelease="r627750"/>
- <title text="RHEL 8 must have the packages required for offloading audit logs installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_rsyslog-gnutls_installed" ownerid="RHEL-08-030680" disa="366" severity="medium">
- <VMSinfo VKey="230478" SVKey="230478r6277" VRelease="r627750"/>
- <title text="RHEL 8 must have the packages required for encrypting offloaded audit logs installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030690" disa="1851" severity="medium">
- <VMSinfo VKey="230479" SVKey="230479r6277" VRelease="r627750"/>
- <title text="The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030700" disa="1851" severity="medium">
- <VMSinfo VKey="230480" SVKey="230480r6277" VRelease="r627750"/>
- <title text="RHEL 8 must take appropriate action when the internal event queue is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030710" disa="1851" severity="medium">
- <VMSinfo VKey="230481" SVKey="230481r6277" VRelease="r627750"/>
- <title text="RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-08-030720" disa="1851" severity="medium">
- <VMSinfo VKey="230482" SVKey="230482r6277" VRelease="r627750"/>
- <title text="RHEL 8 must authenticate the remote logging server for off-loading audit logs."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-08-030730" disa="1855" severity="medium">
- <VMSinfo VKey="230483" SVKey="230483r6277" VRelease="r627750"/>
- <title text="RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-08-030740" disa="1891" severity="medium">
- <VMSinfo VKey="230484" SVKey="230484r6277" VRelease="r627750"/>
- <title text="RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_client_only" ownerid="RHEL-08-030741" disa="381" severity="low">
- <VMSinfo VKey="230485" SVKey="230485r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the chrony daemon from acting as a server."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_no_chronyc_network" ownerid="RHEL-08-030742" disa="381" severity="low">
- <VMSinfo VKey="230486" SVKey="230486r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable network management of the chrony daemon."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-08-040000" disa="381" severity="high">
- <VMSinfo VKey="230487" SVKey="230487r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not have the telnet-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_abrt_removed" ownerid="RHEL-08-040001" disa="381" severity="medium">
- <VMSinfo VKey="230488" SVKey="230488r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not have any automated bug reporting tools installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-040002" disa="381" severity="medium">
- <VMSinfo VKey="230489" SVKey="230489r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not have the sendmail package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_pti_argument" ownerid="RHEL-08-040004" disa="381" severity="low">
- <VMSinfo VKey="230491" SVKey="230491r6277" VRelease="r627750"/>
- <title text="RHEL 8 must enable mitigations against processor-based vulnerabilities."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-08-040010" disa="381" severity="high">
- <VMSinfo VKey="230492" SVKey="230492r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not have the rsh-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-08-040020" disa="381" severity="medium">
- <VMSinfo VKey="230493" SVKey="230493r6277" VRelease="r627750"/>
- <title text="RHEL 8 must cover or disable the built-in or attached camera when not in use."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_atm_disabled" ownerid="RHEL-08-040021" disa="381" severity="low">
- <VMSinfo VKey="230494" SVKey="230494r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the asynchronous transfer mode (ATM) protocol."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_can_disabled" ownerid="RHEL-08-040022" disa="381" severity="low">
- <VMSinfo VKey="230495" SVKey="230495r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the controller area network (CAN) protocol."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_sctp_disabled" ownerid="RHEL-08-040023" disa="381" severity="low">
- <VMSinfo VKey="230496" SVKey="230496r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the stream control transmission (SCTP) protocol."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_tipc_disabled" ownerid="RHEL-08-040024" disa="381" severity="low">
- <VMSinfo VKey="230497" SVKey="230497r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the transparent inter-process communication (TIPC) protocol."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_cramfs_disabled" ownerid="RHEL-08-040025" disa="381" severity="low">
- <VMSinfo VKey="230498" SVKey="230498r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable mounting of cramfs."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_firewire-core_disabled" ownerid="RHEL-08-040026" disa="381" severity="low">
- <VMSinfo VKey="230499" SVKey="230499r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable IEEE 1394 (FireWire) Support."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-08-040030" disa="382" severity="medium">
- <VMSinfo VKey="230500" SVKey="230500r6277" VRelease="r627750"/>
- <title text="RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-08-040070" disa="778" severity="medium">
- <VMSinfo VKey="230502" SVKey="230502r6277" VRelease="r627750"/>
- <title text="The RHEL 8 file system automounter must be disabled unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-08-040080" disa="778" severity="medium">
- <VMSinfo VKey="230503" SVKey="230503r6277" VRelease="r627750"/>
- <title text="RHEL 8 must be configured to disable USB mass storage."/>
- </overlay>
- <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-08-040090" disa="2314" severity="medium">
- <VMSinfo VKey="230504" SVKey="230504r6277" VRelease="r627750"/>
- <title text="A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-08-040100" disa="2314" severity="medium">
- <VMSinfo VKey="230505" SVKey="230505r6277" VRelease="r627750"/>
- <title text="A firewall must be installed on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-08-040110" disa="1444" severity="medium">
- <VMSinfo VKey="230506" SVKey="230506r6277" VRelease="r627750"/>
- <title text="RHEL 8 wireless network adapters must be disabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_bluetooth_disabled" ownerid="RHEL-08-040111" disa="1443" severity="medium">
- <VMSinfo VKey="230507" SVKey="230507r6277" VRelease="r627750"/>
- <title text="RHEL 8 Bluetooth must be disabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_dev_shm_nodev" ownerid="RHEL-08-040120" disa="1764" severity="medium">
- <VMSinfo VKey="230508" SVKey="230508r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /dev/shm with the nodev option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_dev_shm_nosuid" ownerid="RHEL-08-040121" disa="1764" severity="medium">
- <VMSinfo VKey="230509" SVKey="230509r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /dev/shm with the nosuid option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-08-040122" disa="1764" severity="medium">
- <VMSinfo VKey="230510" SVKey="230510r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /dev/shm with the noexec option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_tmp_nodev" ownerid="RHEL-08-040123" disa="1764" severity="medium">
- <VMSinfo VKey="230511" SVKey="230511r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /tmp with the nodev option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_tmp_nosuid" ownerid="RHEL-08-040124" disa="1764" severity="medium">
- <VMSinfo VKey="230512" SVKey="230512r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /tmp with the nosuid option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_tmp_noexec" ownerid="RHEL-08-040125" disa="1764" severity="medium">
- <VMSinfo VKey="230513" SVKey="230513r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /tmp with the noexec option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_log_nodev" ownerid="RHEL-08-040126" disa="1764" severity="medium">
- <VMSinfo VKey="230514" SVKey="230514r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/log with the nodev option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_log_nosuid" ownerid="RHEL-08-040127" disa="1764" severity="medium">
- <VMSinfo VKey="230515" SVKey="230515r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/log with the nosuid option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_log_noexec" ownerid="RHEL-08-040128" disa="1764" severity="medium">
- <VMSinfo VKey="230516" SVKey="230516r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/log with the noexec option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_log_audit_nodev" ownerid="RHEL-08-040129" disa="1764" severity="medium">
- <VMSinfo VKey="230517" SVKey="230517r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/log/audit with the nodev option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_log_audit_nosuid" ownerid="RHEL-08-040130" disa="1764" severity="medium">
- <VMSinfo VKey="230518" SVKey="230518r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/log/audit with the nosuid option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_log_audit_noexec" ownerid="RHEL-08-040131" disa="1764" severity="medium">
- <VMSinfo VKey="230519" SVKey="230519r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/log/audit with the noexec option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_tmp_nodev" ownerid="RHEL-08-040132" disa="1764" severity="medium">
- <VMSinfo VKey="230520" SVKey="230520r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/tmp with the nodev option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_tmp_nosuid" ownerid="RHEL-08-040133" disa="1764" severity="medium">
- <VMSinfo VKey="230521" SVKey="230521r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/tmp with the nosuid option."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_var_tmp_noexec" ownerid="RHEL-08-040134" disa="1764" severity="medium">
- <VMSinfo VKey="230522" SVKey="230522r6277" VRelease="r627750"/>
- <title text="RHEL 8 must mount /var/tmp with the noexec option."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_fapolicyd_enabled" ownerid="RHEL-08-040135" disa="1764" severity="medium">
- <VMSinfo VKey="230523" SVKey="230523r6277" VRelease="r627750"/>
- <title text="The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_usbguard_enabled" ownerid="RHEL-08-040140" disa="1958" severity="medium">
- <VMSinfo VKey="230524" SVKey="230524r6277" VRelease="r627750"/>
- <title text="RHEL 8 must block unauthorized peripherals before establishing a connection."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-08-040150" disa="2385" severity="medium">
- <VMSinfo VKey="230525" SVKey="230525r6277" VRelease="r627750"/>
- <title text="A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-08-040160" disa="2418" severity="medium">
- <VMSinfo VKey="230526" SVKey="230526r6277" VRelease="r627750"/>
- <title text="All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_rekey_limit" ownerid="RHEL-08-040161" disa="68" severity="medium">
- <VMSinfo VKey="230527" SVKey="230527r6277" VRelease="r627750"/>
- <title text="RHEL 8 must force a frequent session key renegotiation for SSH connections to the server."/>
- </overlay>
- <overlay owner="disastig" ruleid="ssh_client_rekey_limit" ownerid="RHEL-08-040162" disa="68" severity="medium">
- <VMSinfo VKey="230528" SVKey="230528r6277" VRelease="r627750"/>
- <title text="RHEL 8 must force a frequent session key renegotiation for SSH connections by the client."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-08-040170" disa="366" severity="high">
- <VMSinfo VKey="230529" SVKey="230529r6277" VRelease="r627750"/>
- <title text="The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-08-040171" disa="366" severity="high">
- <VMSinfo VKey="230530" SVKey="230530r6468" VRelease="r646883"/>
- <title text="The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_ctrlaltdel_burstaction" ownerid="RHEL-08-040172" disa="366" severity="high">
- <VMSinfo VKey="230531" SVKey="230531r6277" VRelease="r627750"/>
- <title text="The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_debug-shell_disabled" ownerid="RHEL-08-040180" disa="366" severity="medium">
- <VMSinfo VKey="230532" SVKey="230532r6277" VRelease="r627750"/>
- <title text="The debug-shell systemd service must be disabled on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-08-040190" disa="366" severity="high">
- <VMSinfo VKey="230533" SVKey="230533r6277" VRelease="r627750"/>
- <title text="The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-08-040200" disa="366" severity="high">
- <VMSinfo VKey="230534" SVKey="230534r6277" VRelease="r627750"/>
- <title text="The root account must be the only account having unrestricted access to the RHEL 8 system."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_redirects" ownerid="RHEL-08-040210" disa="366" severity="medium">
- <VMSinfo VKey="230535" SVKey="230535r6277" VRelease="r627750"/>
- <title text="RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-08-040220" disa="366" severity="medium">
- <VMSinfo VKey="230536" SVKey="230536r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-08-040230" disa="366" severity="medium">
- <VMSinfo VKey="230537" SVKey="230537r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-08-040240" disa="366" severity="medium">
- <VMSinfo VKey="230538" SVKey="230538r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not forward source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_source_route" ownerid="RHEL-08-040250" disa="366" severity="medium">
- <VMSinfo VKey="230539" SVKey="230539r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not forward source-routed packets by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-08-040260" disa="366" severity="medium">
- <VMSinfo VKey="230540" SVKey="230540r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not be performing packet forwarding unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_ra" ownerid="RHEL-08-040261" disa="366" severity="medium">
- <VMSinfo VKey="230541" SVKey="230541r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not accept router advertisements on all IPv6 interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_ra" ownerid="RHEL-08-040262" disa="366" severity="medium">
- <VMSinfo VKey="230542" SVKey="230542r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not accept router advertisements on all IPv6 interfaces by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-08-040270" disa="366" severity="medium">
- <VMSinfo VKey="230543" SVKey="230543r6277" VRelease="r627750"/>
- <title text="RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_redirects" ownerid="RHEL-08-040280" disa="366" severity="medium">
- <VMSinfo VKey="230544" SVKey="230544r6277" VRelease="r627750"/>
- <title text="RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_unprivileged_bpf_disabled" ownerid="RHEL-08-040281" disa="366" severity="medium">
- <VMSinfo VKey="230545" SVKey="230545r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable access to network bpf syscall from unprivileged processes."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_yama_ptrace_scope" ownerid="RHEL-08-040282" disa="366" severity="medium">
- <VMSinfo VKey="230546" SVKey="230546r6277" VRelease="r627750"/>
- <title text="RHEL 8 must restrict usage of ptrace to descendant processes."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="RHEL-08-040283" disa="366" severity="medium">
- <VMSinfo VKey="230547" SVKey="230547r6277" VRelease="r627750"/>
- <title text="RHEL 8 must restrict exposed kernel pointer addresses access."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_user_max_user_namespaces" ownerid="RHEL-08-040284" disa="366" severity="medium">
- <VMSinfo VKey="230548" SVKey="230548r6277" VRelease="r627750"/>
- <title text="RHEL 8 must disable the use of user namespaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-08-040285" disa="366" severity="medium">
- <VMSinfo VKey="230549" SVKey="230549r6277" VRelease="r627750"/>
- <title text="RHEL 8 must use reverse path filtering on all IPv4 interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-08-040290" disa="366" severity="medium">
- <VMSinfo VKey="230550" SVKey="230550r6277" VRelease="r627750"/>
- <title text="RHEL 8 must be configured to prevent unrestricted mail relaying."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-08-040300" disa="366" severity="low">
- <VMSinfo VKey="230551" SVKey="230551r6277" VRelease="r627750"/>
- <title text="The RHEL 8 file integrity tool must be configured to verify extended attributes."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-08-040310" disa="366" severity="low">
- <VMSinfo VKey="230552" SVKey="230552r6277" VRelease="r627750"/>
- <title text="The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="xwindows_remove_packages" ownerid="RHEL-08-040320" disa="366" severity="medium">
- <VMSinfo VKey="230553" SVKey="230553r6468" VRelease="r646886"/>
- <title text="The graphical display manager must not be installed on RHEL 8 unless approved."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-08-040330" disa="366" severity="medium">
- <VMSinfo VKey="230554" SVKey="230554r6277" VRelease="r627750"/>
- <title text="RHEL 8 network interfaces must not be in promiscuous mode."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="RHEL-08-040340" disa="366" severity="medium">
- <VMSinfo VKey="230555" SVKey="230555r6277" VRelease="r627750"/>
- <title text="RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_x11_use_localhost" ownerid="RHEL-08-040341" disa="366" severity="medium">
- <VMSinfo VKey="230556" SVKey="230556r6277" VRelease="r627750"/>
- <title text="The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display."/>
- </overlay>
- <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-08-040350" disa="366" severity="medium">
- <VMSinfo VKey="230557" SVKey="230557r6277" VRelease="r627750"/>
- <title text="If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-08-040360" disa="366" severity="high">
- <VMSinfo VKey="230558" SVKey="230558r6277" VRelease="r627750"/>
- <title text="A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_gssproxy_removed" ownerid="RHEL-08-040370" disa="381" severity="medium">
- <VMSinfo VKey="230559" SVKey="230559r6468" VRelease="r646887"/>
- <title text="The gssproxy package must not be installed unless mission essential on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_iprutils_removed" ownerid="RHEL-08-040380" disa="366" severity="medium">
- <VMSinfo VKey="230560" SVKey="230560r6277" VRelease="r627750"/>
- <title text="The iprutils package must not be installed unless mission essential on RHEL 8."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_tuned_removed" ownerid="RHEL-08-040390" disa="366" severity="medium">
- <VMSinfo VKey="230561" SVKey="230561r6277" VRelease="r627750"/>
- <title text="The tuned package must not be installed unless mission essential on RHEL 8."/>
- </overlay>
-</overlays>
diff --git a/products/sle12/overlays/stig_overlay.xml b/products/sle12/overlays/stig_overlay.xml
deleted file mode 100644
index 7de78806ce2..00000000000
--- a/products/sle12/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,811 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="SLES-12-010000" disa="1230" severity="high">
- <VMSinfo VKey="217101" SVKey="217101r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be a vendor-supported release."/>
- </overlay>
- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="SLES-12-010010" disa="1227" severity="medium">
- <VMSinfo VKey="217102" SVKey="217102r6032" VRelease="r603262"/>
- <title text="Vendor-packaged SUSE operating system security patches and updates must be installed and up to date."/>
- </overlay>
- <overlay owner="disastig" ruleid="gui_login_dod_acknowledgement" ownerid="SLES-12-010020" disa="50" severity="medium">
- <VMSinfo VKey="217103" SVKey="217103r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="SLES-12-010030" disa="48" severity="medium">
- <VMSinfo VKey="217104" SVKey="217104r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="SLES-12-010040" disa="1388" severity="medium">
- <VMSinfo VKey="217105" SVKey="217105r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="SLES-12-010050" disa="1384" severity="medium">
- <VMSinfo VKey="217106" SVKey="217106r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010060" disa="60" severity="medium">
- <VMSinfo VKey="217107" SVKey="217107r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be able to lock the graphical user interface (GUI)."/>
- </overlay>
- <overlay owner="disastig" ruleid="vlock_installed" ownerid="SLES-12-010070" disa="58" severity="low">
- <VMSinfo VKey="217108" SVKey="217108r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must utilize vlock to allow for session locking."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-12-010080" disa="57" severity="medium">
- <VMSinfo VKey="217109" SVKey="217109r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-12-010090" disa="57" severity="medium">
- <VMSinfo VKey="217110" SVKey="217110r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010100" disa="60" severity="low">
- <VMSinfo VKey="217111" SVKey="217111r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="SLES-12-010110" disa="2038" severity="high">
- <VMSinfo VKey="217112" SVKey="217112r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="SLES-12-010120" disa="54" severity="low">
- <VMSinfo VKey="217113" SVKey="217113r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_tally2" ownerid="SLES-12-010130" disa="44" severity="medium">
- <VMSinfo VKey="217114" SVKey="217114r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must lock an account after three consecutive invalid access attempts."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="SLES-12-010140" disa="366" severity="medium">
- <VMSinfo VKey="217116" SVKey="217116r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_ucredit" ownerid="SLES-12-010150" disa="192" severity="medium">
- <VMSinfo VKey="217117" SVKey="217117r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one upper-case character."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_lcredit" ownerid="SLES-12-010160" disa="193" severity="medium">
- <VMSinfo VKey="217118" SVKey="217118r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one lower-case character."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_dcredit" ownerid="SLES-12-010170" disa="194" severity="medium">
- <VMSinfo VKey="217119" SVKey="217119r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one numeric character."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_ocredit" ownerid="SLES-12-010180" disa="1619" severity="medium">
- <VMSinfo VKey="217120" SVKey="217120r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one special character."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_difok" ownerid="SLES-12-010190" disa="195" severity="medium">
- <VMSinfo VKey="217121" SVKey="217121r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="SLES-12-010210" disa="803" severity="medium">
- <VMSinfo VKey="217122" SVKey="217122r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_all_shadowed_sha512" ownerid="SLES-12-010220" disa="196" severity="medium">
- <VMSinfo VKey="217123" SVKey="217123r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="SLES-12-010230" disa="803" severity="medium">
- <VMSinfo VKey="217124" SVKey="217124r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="SLES-12-010231" disa="366" severity="medium">
- <VMSinfo VKey="217125" SVKey="217125r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not be configured to allow blank or null passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_min_rounds_logindefs" ownerid="SLES-12-010240" disa="803" severity="medium">
- <VMSinfo VKey="217126" SVKey="217126r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_minlen" ownerid="SLES-12-010250" disa="205" severity="medium">
- <VMSinfo VKey="217127" SVKey="217127r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ passwords with a minimum of 15 characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="SLES-12-010260" disa="198" severity="medium">
- <VMSinfo VKey="217128" SVKey="217128r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (1 day)."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="SLES-12-010270" disa="198" severity="medium">
- <VMSinfo VKey="217129" SVKey="217129r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (1 day)."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="SLES-12-010280" disa="199" severity="medium">
- <VMSinfo VKey="217130" SVKey="217130r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="SLES-12-010290" disa="199" severity="medium">
- <VMSinfo VKey="217131" SVKey="217131r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ user passwords with a maximum lifetime of 60 days."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_etc_security_opasswd" ownerid="SLES-12-010300" disa="200" severity="medium">
- <VMSinfo VKey="217132" SVKey="217132r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must employ a password history file."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_pam_pwhistory_remember" ownerid="SLES-12-010310" disa="200" severity="medium">
- <VMSinfo VKey="217133" SVKey="217133r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_retry" ownerid="SLES-12-010320" disa="366" severity="medium">
- <VMSinfo VKey="217134" SVKey="217134r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must prevent the use of dictionary words for passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_emergency_admin" ownerid="SLES-12-010330" disa="1682" severity="medium">
- <VMSinfo VKey="217135" SVKey="217135r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must never automatically remove or disable emergency administrator accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="SLES-12-010340" disa="795" severity="medium">
- <VMSinfo VKey="217136" SVKey="217136r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="SLES-12-010360" disa="16" severity="medium">
- <VMSinfo VKey="217137" SVKey="217137r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must provision temporary accounts with an expiration date for 72 hours."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faildelay_delay" ownerid="SLES-12-010370" disa="366" severity="medium">
- <VMSinfo VKey="217138" SVKey="217138r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/>
- </overlay>
- <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="SLES-12-010380" disa="366" severity="high">
- <VMSinfo VKey="217139" SVKey="217139r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow unattended or automatic logon via the graphical user interface."/>
- </overlay>
- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="SLES-12-010390" disa="366" severity="low">
- <VMSinfo VKey="217140" SVKey="217140r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the date and time of the last successful account logon upon logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="SLES-12-010400" disa="366" severity="high">
- <VMSinfo VKey="217141" SVKey="217141r6032" VRelease="r603262"/>
- <title text="There must be no .shosts files on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="SLES-12-010410" disa="366" severity="high">
- <VMSinfo VKey="217142" SVKey="217142r6032" VRelease="r603262"/>
- <title text="There must be no shosts.equiv files on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010420" disa="2450" severity="medium">
- <VMSinfo VKey="217143" SVKey="217143r6032" VRelease="r603262"/>
- <title text="FIPS 140-2 mode must be enabled on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_password" ownerid="SLES-12-010430" disa="213" severity="medium">
- <VMSinfo VKey="217144" SVKey="217144r6032" VRelease="r603262"/>
- <title text="SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="SLES-12-010440" disa="213" severity="medium">
- <VMSinfo VKey="217145" SVKey="217145r6032" VRelease="r603262"/>
- <title text="SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/>
- </overlay>
- <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="SLES-12-010450" disa="2475" severity="medium">
- <VMSinfo VKey="217146" SVKey="217146r6032" VRelease="r603262"/>
- <title text="All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_sticky_bits" ownerid="SLES-12-010460" disa="1090" severity="medium">
- <VMSinfo VKey="217147" SVKey="217147r6032" VRelease="r603262"/>
- <title text="The sticky bit must be set on all SUSE operating system world-writable directories."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_aide_installed" ownerid="SLES-12-010500" disa="1744" severity="medium">
- <VMSinfo VKey="217148" SVKey="217148r6032" VRelease="r603262"/>
- <title text="Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="SLES-12-010510" disa="2702" severity="medium">
- <VMSinfo VKey="217149" SVKey="217149r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="SLES-12-010520" disa="366" severity="low">
- <VMSinfo VKey="217150" SVKey="217150r6032" VRelease="r603262"/>
- <title text="The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="SLES-12-010530" disa="366" severity="low">
- <VMSinfo VKey="217151" SVKey="217151r6032" VRelease="r603262"/>
- <title text="The SUSE operating system file integrity tool must be configured to verify extended attributes."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_check_audit_tools" ownerid="SLES-12-010540" disa="1496" severity="medium">
- <VMSinfo VKey="217152" SVKey="217152r6032" VRelease="r603262"/>
- <title text="The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="SLES-12-010550" disa="1749" severity="medium">
- <VMSinfo VKey="217153" SVKey="217153r6032" VRelease="r603262"/>
- <title text="The SUSE operating system tool zypper must have gpgcheck enabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="SLES-12-010570" disa="2617" severity="medium">
- <VMSinfo VKey="217154" SVKey="217154r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must remove all outdated software components after updated versions have been installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="SLES-12-010580" disa="1958" severity="medium">
- <VMSinfo VKey="217155" SVKey="217155r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must disable the USB mass storage kernel module."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="SLES-12-010590" disa="1958" severity="medium">
- <VMSinfo VKey="217156" SVKey="217156r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must disable the file system automounter unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="SLES-12-010599" disa="1233" severity="medium">
- <VMSinfo VKey="222385" SVKey="222385r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must have a host-based intrusion detection tool installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-12-010600" disa="2235" severity="medium">
- <VMSinfo VKey="217158" SVKey="217158r6032" VRelease="r603262"/>
- <title text="The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-010610" disa="366" severity="high">
- <VMSinfo VKey="217159" SVKey="217159r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="SLES-12-010611" disa="366" severity="high">
- <VMSinfo VKey="217160" SVKey="217160r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="SLES-12-010620" disa="366" severity="medium">
- <VMSinfo VKey="217161" SVKey="217161r6032" VRelease="r603262"/>
- <title text="The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_authorized_local_users" ownerid="SLES-12-010630" disa="366" severity="medium">
- <VMSinfo VKey="217162" SVKey="217162r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not have unnecessary accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_unique_id" ownerid="SLES-12-010640" disa="764" severity="medium">
- <VMSinfo VKey="217163" SVKey="217163r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="SLES-12-010650" disa="366" severity="high">
- <VMSinfo VKey="217164" SVKey="217164r6032" VRelease="r603262"/>
- <title text="The SUSE operating system root account must be the only account having unrestricted access to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_memcache_timeout" ownerid="SLES-12-010670" disa="2007" severity="medium">
- <VMSinfo VKey="217166" SVKey="217166r6032" VRelease="r603262"/>
- <title text="If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_offline_cred_expiration" ownerid="SLES-12-010680" disa="2007" severity="medium">
- <VMSinfo VKey="217167" SVKey="217167r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="SLES-12-010690" disa="2165" severity="medium">
- <VMSinfo VKey="217168" SVKey="217168r6032" VRelease="r603262"/>
- <title text="All SUSE operating system files and directories must have a valid owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="SLES-12-010700" disa="2165" severity="medium">
- <VMSinfo VKey="217169" SVKey="217169r6032" VRelease="r603262"/>
- <title text="All SUSE operating system files and directories must have a valid group owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_defined" ownerid="SLES-12-010710" disa="366" severity="medium">
- <VMSinfo VKey="217170" SVKey="217170r6038" VRelease="r603883"/>
- <title text="All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="SLES-12-010720" disa="366" severity="medium">
- <VMSinfo VKey="217171" SVKey="217171r6032" VRelease="r603262"/>
- <title text="All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="SLES-12-010730" disa="366" severity="medium">
- <VMSinfo VKey="217172" SVKey="217172r6038" VRelease="r603885"/>
- <title text="All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="SLES-12-010740" disa="366" severity="medium">
- <VMSinfo VKey="217173" SVKey="217173r6038" VRelease="r603887"/>
- <title text="All SUSE operating system local interactive user home directories must have mode 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="SLES-12-010750" disa="366" severity="medium">
- <VMSinfo VKey="217174" SVKey="217174r6038" VRelease="r603889"/>
- <title text="All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="SLES-12-010760" disa="366" severity="medium">
- <VMSinfo VKey="217175" SVKey="217175r6032" VRelease="r603262"/>
- <title text="All SUSE operating system local initialization files must have mode 0740 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="SLES-12-010770" disa="366" severity="medium">
- <VMSinfo VKey="217176" SVKey="217176r6032" VRelease="r603262"/>
- <title text="All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="SLES-12-010780" disa="366" severity="medium">
- <VMSinfo VKey="217177" SVKey="217177r6032" VRelease="r603262"/>
- <title text="All SUSE operating system local initialization files must not execute world-writable programs."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="SLES-12-010790" disa="366" severity="medium">
- <VMSinfo VKey="217178" SVKey="217178r6038" VRelease="r603891"/>
- <title text="SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="SLES-12-010800" disa="366" severity="medium">
- <VMSinfo VKey="217179" SVKey="217179r6032" VRelease="r603262"/>
- <title text="SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="SLES-12-010810" disa="366" severity="medium">
- <VMSinfo VKey="217180" SVKey="217180r6032" VRelease="r603262"/>
- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="SLES-12-010820" disa="366" severity="medium">
- <VMSinfo VKey="217181" SVKey="217181r6032" VRelease="r603262"/>
- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="SLES-12-010830" disa="366" severity="medium">
- <VMSinfo VKey="217182" SVKey="217182r6032" VRelease="r603262"/>
- <title text="All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="SLES-12-010840" disa="366" severity="medium">
- <VMSinfo VKey="217183" SVKey="217183r6032" VRelease="r603262"/>
- <title text="SUSE operating system kernel core dumps must be disabled unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_home" ownerid="SLES-12-010850" disa="366" severity="low">
- <VMSinfo VKey="217184" SVKey="217184r6038" VRelease="r603893"/>
- <title text="A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var" ownerid="SLES-12-010860" disa="366" severity="low">
- <VMSinfo VKey="217185" SVKey="217185r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must use a separate file system for /var."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="SLES-12-010870" disa="366" severity="low">
- <VMSinfo VKey="217186" SVKey="217186r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must use a separate file system for the system audit data path."/>
- </overlay>
- <overlay owner="disastig" ruleid="run_chkstat" ownerid="SLES-12-010880" disa="1499" severity="medium">
- <VMSinfo VKey="217187" SVKey="217187r6032" VRelease="r603262"/>
- <title text="SUSE operating system commands and libraries must have the proper permissions to protect from unauthorized access."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_messages" ownerid="SLES-12-010890" disa="1314" severity="medium">
- <VMSinfo VKey="217188" SVKey="217188r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must prevent unauthorized users from accessing system error messages."/>
- </overlay>
- <overlay owner="disastig" ruleid="pam_disable_automatic_configuration" ownerid="SLES-12-010910" disa="366" severity="medium">
- <VMSinfo VKey="217189" SVKey="217189r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_audit_installed" ownerid="SLES-12-020000" disa="1914" severity="medium">
- <VMSinfo VKey="217190" SVKey="217190r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must have the auditing package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="SLES-12-020010" disa="2884" severity="medium">
- <VMSinfo VKey="217191" SVKey="217191r6032" VRelease="r603262"/>
- <title text="SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_configure_sufficiently_large_partition" ownerid="SLES-12-020020" disa="1849" severity="medium">
- <VMSinfo VKey="217192" SVKey="217192r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="SLES-12-020030" disa="1855" severity="medium">
- <VMSinfo VKey="217193" SVKey="217193r6032" VRelease="r603262"/>
- <title text="The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="SLES-12-020040" disa="139" severity="medium">
- <VMSinfo VKey="217194" SVKey="217194r6032" VRelease="r603262"/>
- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event."/>
- </overlay>
- <overlay owner="disastig" ruleid="postfix_client_configure_mail_alias" ownerid="SLES-12-020050" disa="139" severity="medium">
- <VMSinfo VKey="217195" SVKey="217195r6032" VRelease="r603262"/>
- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_disk_full_action" ownerid="SLES-12-020060" disa="140" severity="medium">
- <VMSinfo VKey="217196" SVKey="217196r6032" VRelease="r603262"/>
- <title text="The SUSE operating system audit system must take appropriate action when the audit storage volume is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_audit-audispd-plugins_installed" ownerid="SLES-12-020070" disa="1851" severity="medium">
- <VMSinfo VKey="217197" SVKey="217197r6032" VRelease="r603262"/>
- <title text="The audit-audispd-plugins must be installed on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="SLES-12-020080" disa="1851" severity="low">
- <VMSinfo VKey="217198" SVKey="217198r6032" VRelease="r603262"/>
- <title text="The SUSE operating system audit event multiplexor must be configured to use Kerberos."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="SLES-12-020090" disa="1851" severity="low">
- <VMSinfo VKey="217199" SVKey="217199r6032" VRelease="r603262"/>
- <title text="Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="SLES-12-020100" disa="1851" severity="medium">
- <VMSinfo VKey="217200" SVKey="217200r6032" VRelease="r603262"/>
- <title text="The audit system must take appropriate action when the network cannot be used to off-load audit records."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="SLES-12-020110" disa="1851" severity="medium">
- <VMSinfo VKey="217201" SVKey="217201r6032" VRelease="r603262"/>
- <title text="Audispd must take appropriate action when the SUSE operating system audit storage is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="permissions_local_var_log_audit" ownerid="SLES-12-020120" disa="164" severity="medium">
- <VMSinfo VKey="217202" SVKey="217202r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must protect audit rules from unauthorized modification."/>
- </overlay>
- <overlay owner="disastig" ruleid="permissions_local_audit_binaries" ownerid="SLES-12-020130" disa="1495" severity="medium">
- <VMSinfo VKey="217203" SVKey="217203r6032" VRelease="r603262"/>
- <title text="The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_enable_syscall_auditing" ownerid="SLES-12-020199" disa="366" severity="medium">
- <VMSinfo VKey="217204" SVKey="217204r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not disable syscall auditing"/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="SLES-12-020200" disa="2132" severity="medium">
- <VMSinfo VKey="217205" SVKey="217205r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="SLES-12-020210" disa="2130" severity="medium">
- <VMSinfo VKey="217206" SVKey="217206r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="SLES-12-020220" disa="2132" severity="medium">
- <VMSinfo VKey="217207" SVKey="217207r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="SLES-12-020230" disa="2130" severity="medium">
- <VMSinfo VKey="217208" SVKey="217208r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_suid_privilege_function" ownerid="SLES-12-020240" disa="1882" severity="low">
- <VMSinfo VKey="217209" SVKey="217209r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the privileged functions."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="SLES-12-020250" disa="2884" severity="medium">
- <VMSinfo VKey="217210" SVKey="217210r6038" VRelease="r603896"/>
- <title text="The SUSE operating system must generate audit records for all uses of the su command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-12-020260" disa="2884" severity="low">
- <VMSinfo VKey="217211" SVKey="217211r6038" VRelease="r603899"/>
- <title text="The SUSE operating system must generate audit records for all uses of the sudo command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chfn" ownerid="SLES-12-020280" disa="2884" severity="low">
- <VMSinfo VKey="217212" SVKey="217212r6039" VRelease="r603902"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chfn command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="SLES-12-020290" disa="2884" severity="low">
- <VMSinfo VKey="217213" SVKey="217213r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the mount command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="SLES-12-020300" disa="2884" severity="low">
- <VMSinfo VKey="217214" SVKey="217214r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the umount command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_agent" ownerid="SLES-12-020310" disa="2884" severity="low">
- <VMSinfo VKey="217215" SVKey="217215r6039" VRelease="r603905"/>
- <title text="The SUSE operating system must generate audit records for all uses of the ssh-agent command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="SLES-12-020320" disa="2884" severity="low">
- <VMSinfo VKey="217216" SVKey="217216r6039" VRelease="r603908"/>
- <title text="The SUSE operating system must generate audit records for all uses of the ssh-keysign command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_kmod" ownerid="SLES-12-020360" disa="2884" severity="medium">
- <VMSinfo VKey="217217" SVKey="217217r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the kmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="SLES-12-020370" disa="2884" severity="medium">
- <VMSinfo VKey="217218" SVKey="217218r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the setxattr command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="SLES-12-020380" disa="2884" severity="medium">
- <VMSinfo VKey="217219" SVKey="217219r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fsetxattr command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="SLES-12-020390" disa="2884" severity="medium">
- <VMSinfo VKey="217220" SVKey="217220r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the removexattr command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="SLES-12-020400" disa="2884" severity="medium">
- <VMSinfo VKey="217221" SVKey="217221r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the lremovexattr command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="SLES-12-020410" disa="2884" severity="medium">
- <VMSinfo VKey="217222" SVKey="217222r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fremovexattr command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="SLES-12-020420" disa="2884" severity="medium">
- <VMSinfo VKey="217223" SVKey="217223r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chown command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="SLES-12-020430" disa="2884" severity="medium">
- <VMSinfo VKey="217224" SVKey="217224r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchown command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="SLES-12-020440" disa="2884" severity="medium">
- <VMSinfo VKey="217225" SVKey="217225r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the lchown command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="SLES-12-020450" disa="2884" severity="medium">
- <VMSinfo VKey="217226" SVKey="217226r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchownat command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="SLES-12-020460" disa="2884" severity="medium">
- <VMSinfo VKey="217227" SVKey="217227r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="SLES-12-020470" disa="2884" severity="medium">
- <VMSinfo VKey="217228" SVKey="217228r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="SLES-12-020480" disa="2884" severity="medium">
- <VMSinfo VKey="217229" SVKey="217229r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchmodat command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="SLES-12-020490" disa="2884" severity="medium">
- <VMSinfo VKey="217230" SVKey="217230r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the open command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="SLES-12-020500" disa="172" severity="medium">
- <VMSinfo VKey="217231" SVKey="217231r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the truncate command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="SLES-12-020510" disa="2884" severity="medium">
- <VMSinfo VKey="217232" SVKey="217232r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the ftruncate command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="SLES-12-020520" disa="2884" severity="medium">
- <VMSinfo VKey="217233" SVKey="217233r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the creat command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="SLES-12-020530" disa="2884" severity="medium">
- <VMSinfo VKey="217234" SVKey="217234r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the openat command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="SLES-12-020540" disa="2884" severity="medium">
- <VMSinfo VKey="217235" SVKey="217235r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the open_by_handle_at command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="SLES-12-020550" disa="2884" severity="low">
- <VMSinfo VKey="217236" SVKey="217236r6039" VRelease="r603911"/>
- <title text="The SUSE operating system must generate audit records for all uses of the passwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="SLES-12-020560" disa="2884" severity="low">
- <VMSinfo VKey="217237" SVKey="217237r6039" VRelease="r603914"/>
- <title text="The SUSE operating system must generate audit records for all uses of the gpasswd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="SLES-12-020570" disa="2884" severity="low">
- <VMSinfo VKey="217238" SVKey="217238r6039" VRelease="r603917"/>
- <title text="The SUSE operating system must generate audit records for all uses of the newgrp command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="SLES-12-020580" disa="2884" severity="low">
- <VMSinfo VKey="217239" SVKey="217239r6039" VRelease="r603920"/>
- <title text="The SUSE operating system must generate audit records for a uses of the chsh command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="SLES-12-020590" disa="2130" severity="medium">
- <VMSinfo VKey="217240" SVKey="217240r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_chmod" ownerid="SLES-12-020600" disa="2884" severity="medium">
- <VMSinfo VKey="217241" SVKey="217241r6039" VRelease="r603923"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_setfacl" ownerid="SLES-12-020610" disa="2884" severity="medium">
- <VMSinfo VKey="217242" SVKey="217242r6039" VRelease="r603926"/>
- <title text="The SUSE operating system must generate audit records for all uses of the setfacl command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_chacl" ownerid="SLES-12-020620" disa="2884" severity="medium">
- <VMSinfo VKey="217243" SVKey="217243r6039" VRelease="r603929"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chacl command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="SLES-12-020630" disa="2884" severity="medium">
- <VMSinfo VKey="217244" SVKey="217244r6039" VRelease="r603932"/>
- <title text="Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_rm" ownerid="SLES-12-020640" disa="2884" severity="medium">
- <VMSinfo VKey="217245" SVKey="217245r6039" VRelease="r603935"/>
- <title text="The SUSE operating system must generate audit records for all uses of the rm command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_tallylog" ownerid="SLES-12-020650" disa="2884" severity="medium">
- <VMSinfo VKey="217246" SVKey="217246r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="SLES-12-020660" disa="2884" severity="medium">
- <VMSinfo VKey="217247" SVKey="217247r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all modifications to the lastlog file."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passmass" ownerid="SLES-12-020670" disa="2884" severity="medium">
- <VMSinfo VKey="217248" SVKey="217248r6039" VRelease="r603938"/>
- <title text="The SUSE operating system must generate audit records for all uses of the passmass command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="SLES-12-020680" disa="2884" severity="medium">
- <VMSinfo VKey="217249" SVKey="217249r6039" VRelease="r603941"/>
- <title text="The SUSE operating system must generate audit records for all uses of the unix_chkpwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="SLES-12-020690" disa="2884" severity="medium">
- <VMSinfo VKey="217250" SVKey="217250r6039" VRelease="r603944"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chage command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_usermod" ownerid="SLES-12-020700" disa="2884" severity="medium">
- <VMSinfo VKey="217251" SVKey="217251r6039" VRelease="r603947"/>
- <title text="The SUSE operating system must generate audit records for all uses of the usermod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="SLES-12-020710" disa="2884" severity="medium">
- <VMSinfo VKey="217252" SVKey="217252r6039" VRelease="r603950"/>
- <title text="The SUSE operating system must generate audit records for all uses of the crontab command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="SLES-12-020720" disa="2884" severity="medium">
- <VMSinfo VKey="217253" SVKey="217253r6039" VRelease="r603953"/>
- <title text="The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="SLES-12-020730" disa="2884" severity="medium">
- <VMSinfo VKey="217254" SVKey="217254r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the delete_module command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="SLES-12-020740" disa="2884" severity="medium">
- <VMSinfo VKey="217255" SVKey="217255r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the finit_module command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="SLES-12-020750" disa="2884" severity="medium">
- <VMSinfo VKey="217256" SVKey="217256r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all uses of the init_module command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_faillog" ownerid="SLES-12-020760" disa="2884" severity="medium">
- <VMSinfo VKey="217257" SVKey="217257r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must generate audit records for all modifications to the faillog file."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="SLES-12-030000" disa="381" severity="medium">
- <VMSinfo VKey="217258" SVKey="217258r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not have the telnet-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="ftp_present_banner" ownerid="SLES-12-030010" disa="48" severity="medium">
- <VMSinfo VKey="217259" SVKey="217259r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SFTP/FTP."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_gdm_banner" ownerid="SLES-12-030020" disa="50" severity="medium">
- <VMSinfo VKey="217260" SVKey="217260r6032" VRelease="r603262"/>
- <title text="The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text."/>
- </overlay>
- <overlay owner="disastig" ruleid="susefirewall2_only_required_services" ownerid="SLES-12-030030" disa="2080" severity="medium">
- <VMSinfo VKey="217261" SVKey="217261r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/>
- </overlay>
- <overlay owner="disastig" ruleid="susefirewall2_ddos_protection" ownerid="SLES-12-030040" disa="2385" severity="high">
- <VMSinfo VKey="217262" SVKey="217262r6032" VRelease="r603262"/>
- <title text="SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="SLES-12-030050" disa="48" severity="medium">
- <VMSinfo VKey="217263" SVKey="217263r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="SLES-12-030100" disa="2422" severity="high">
- <VMSinfo VKey="217264" SVKey="217264r6032" VRelease="r603262"/>
- <title text="All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_loglevel_verbose" ownerid="SLES-12-030110" disa="67" severity="medium">
- <VMSinfo VKey="217265" SVKey="217265r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must log SSH connection attempts and failures to the server."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="SLES-12-030130" disa="366" severity="medium">
- <VMSinfo VKey="217266" SVKey="217266r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-030140" disa="770" severity="medium">
- <VMSinfo VKey="217267" SVKey="217267r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must deny direct logons to the root account using remote access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="SLES-12-030150" disa="366" severity="high">
- <VMSinfo VKey="217268" SVKey="217268r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow automatic logon via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="SLES-12-030151" disa="366" severity="medium">
- <VMSinfo VKey="217269" SVKey="217269r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow unattended logon via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="SLES-12-030170" disa="2890" severity="medium">
- <VMSinfo VKey="217270" SVKey="217270r6039" VRelease="r603956"/>
- <title text="The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="SLES-12-030180" disa="3123" severity="medium">
- <VMSinfo VKey="217271" SVKey="217271r6039" VRelease="r603959"/>
- <title text="The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="SLES-12-030190" disa="2361" severity="medium">
- <VMSinfo VKey="217272" SVKey="217272r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon must be configured with a timeout interval."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="SLES-12-030191" disa="2361" severity="medium">
- <VMSinfo VKey="217273" SVKey="217273r6039" VRelease="r603961"/>
- <title text="The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="SLES-12-030200" disa="366" severity="medium">
- <VMSinfo VKey="217274" SVKey="217274r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="SLES-12-030210" disa="366" severity="medium">
- <VMSinfo VKey="217275" SVKey="217275r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="SLES-12-030220" disa="366" severity="medium">
- <VMSinfo VKey="217276" SVKey="217276r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="SLES-12-030230" disa="366" severity="medium">
- <VMSinfo VKey="217277" SVKey="217277r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="SLES-12-030240" disa="366" severity="medium">
- <VMSinfo VKey="217278" SVKey="217278r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon must use privilege separation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="SLES-12-030250" disa="366" severity="medium">
- <VMSinfo VKey="217279" SVKey="217279r6032" VRelease="r603262"/>
- <title text="The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_x11_forwarding" ownerid="SLES-12-030260" disa="366" severity="medium">
- <VMSinfo VKey="217280" SVKey="217280r6039" VRelease="r603964"/>
- <title text="The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-030261" disa="366" severity="medium">
- <VMSinfo VKey="233308" SVKey="233308r6033" VRelease="r603331"/>
- <title text="The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="SLES-12-030300" disa="1891" severity="medium">
- <VMSinfo VKey="217281" SVKey="217281r6032" VRelease="r603262"/>
- <title text="The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_suid_privilege_function" ownerid="SLES-12-030310" disa="1890" severity="low">
- <VMSinfo VKey="217282" SVKey="217282r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="SLES-12-030320" disa="2824" severity="medium">
- <VMSinfo VKey="217283" SVKey="217283r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="SLES-12-030330" disa="2824" severity="medium">
- <VMSinfo VKey="217284" SVKey="217284r6032" VRelease="r603262"/>
- <title text="Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="SLES-12-030340" disa="1851" severity="medium">
- <VMSinfo VKey="217285" SVKey="217285r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_syncookies" ownerid="SLES-12-030350" disa="1095" severity="medium">
- <VMSinfo VKey="217286" SVKey="217286r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must be configured to use TCP syncookies."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="SLES-12-030360" disa="366" severity="medium">
- <VMSinfo VKey="217287" SVKey="217287r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="SLES-12-030361" disa="366" severity="medium">
- <VMSinfo VKey="217288" SVKey="217288r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="SLES-12-030370" disa="366" severity="medium">
- <VMSinfo VKey="217289" SVKey="217289r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="SLES-12-030380" disa="366" severity="medium">
- <VMSinfo VKey="217290" SVKey="217290r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="SLES-12-030390" disa="366" severity="medium">
- <VMSinfo VKey="217291" SVKey="217291r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="SLES-12-030400" disa="366" severity="medium">
- <VMSinfo VKey="217292" SVKey="217292r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_source_route" ownerid="SLES-12-030401" disa="366" severity="medium">
- <VMSinfo VKey="217293" SVKey="217293r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="SLES-12-030410" disa="366" severity="medium">
- <VMSinfo VKey="217294" SVKey="217294r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="SLES-12-030420" disa="366" severity="medium">
- <VMSinfo VKey="217295" SVKey="217295r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="SLES-12-030430" disa="366" severity="medium">
- <VMSinfo VKey="217296" SVKey="217296r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not be performing packet forwarding unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="SLES-12-030440" disa="366" severity="medium">
- <VMSinfo VKey="217297" SVKey="217297r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented."/>
- </overlay>
- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="SLES-12-030450" disa="2418" severity="medium">
- <VMSinfo VKey="217298" SVKey="217298r6032" VRelease="r603262"/>
- <title text="The SUSE operating system wireless network adapters must be disabled unless approved and documented."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="SLES-12-030500" disa="1954" severity="medium">
- <VMSinfo VKey="217299" SVKey="217299r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must have the packages required for multifactor authentication to be installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="SLES-12-030510" disa="1953" severity="medium">
- <VMSinfo VKey="217300" SVKey="217300r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must implement certificate status checking for multifactor authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_pam_enabled" ownerid="SLES-12-030520" disa="1954" severity="medium">
- <VMSinfo VKey="217301" SVKey="217301r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_configure_ca" ownerid="SLES-12-030530" disa="1991" severity="medium">
- <VMSinfo VKey="217302" SVKey="217302r6032" VRelease="r603262"/>
- <title text="The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-12-030611" disa="1668" severity="high">
- <VMSinfo VKey="222386" SVKey="222386r6032" VRelease="r603262"/>
- <title text="The SUSE operating system must use a virus scan program."/>
- </overlay>
-</overlays>
diff --git a/products/sle15/overlays/stig_overlay.xml b/products/sle15/overlays/stig_overlay.xml
deleted file mode 100644
index 2f09bcdeee5..00000000000
--- a/products/sle15/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,935 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="SLES-15-010000" disa="1230" severity="high">
- <VMSinfo VKey="234800" SVKey="234800r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be a vendor-supported release."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010001" disa="1233" severity="medium">
- <VMSinfo VKey="234801" SVKey="234801r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP)."/>
- </overlay>
- <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="SLES-15-010010" disa="1227" severity="medium">
- <VMSinfo VKey="234802" SVKey="234802r6221" VRelease="r622137"/>
- <title text="Vendor-packaged SUSE operating system security patches and updates must be installed and up to date."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="SLES-15-010020" disa="48" severity="medium">
- <VMSinfo VKey="234803" SVKey="234803r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010030" disa="381" severity="high">
- <VMSinfo VKey="234804" SVKey="234804r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not have the vsftpd package installed if not required for operational support."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="SLES-15-010040" disa="1388" severity="medium">
- <VMSinfo VKey="234805" SVKey="234805r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="SLES-15-010050" disa="50" severity="medium">
- <VMSinfo VKey="234806" SVKey="234806r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI)."/>
- </overlay>
- <overlay owner="disastig" ruleid="banner_etc_gdm_banner" ownerid="SLES-15-010060" disa="50" severity="medium">
- <VMSinfo VKey="234807" SVKey="234807r6221" VRelease="r622137"/>
- <title text="The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="SLES-15-010080" disa="1387" severity="medium">
- <VMSinfo VKey="234808" SVKey="234808r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="SLES-15-010090" disa="1388" severity="medium">
- <VMSinfo VKey="234809" SVKey="234809r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010100" disa="56" severity="medium">
- <VMSinfo VKey="234810" SVKey="234810r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be able to lock the graphical user interface (GUI)."/>
- </overlay>
- <overlay owner="disastig" ruleid="vlock_installed" ownerid="SLES-15-010110" disa="58" severity="low">
- <VMSinfo VKey="234811" SVKey="234811r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must utilize vlock to allow for session locking."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-15-010120" disa="57" severity="medium">
- <VMSinfo VKey="234812" SVKey="234812r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI)."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_tmout" ownerid="SLES-15-010130" disa="57" severity="medium">
- <VMSinfo VKey="234813" SVKey="234813r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must initiate a session lock after a 15-minute period of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010140" disa="60" severity="low">
- <VMSinfo VKey="234814" SVKey="234814r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI)."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_loglevel_verbose" ownerid="SLES-15-010150" disa="67" severity="medium">
- <VMSinfo VKey="234815" SVKey="234815r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must log SSH connection attempts and failures to the server."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="SLES-15-010160" disa="68" severity="medium">
- <VMSinfo VKey="234816" SVKey="234816r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_configure_ca" ownerid="SLES-15-010170" disa="1991" severity="medium">
- <VMSinfo VKey="234817" SVKey="234817r6221" VRelease="r622137"/>
- <title text="The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="SLES-15-010180" disa="381" severity="high">
- <VMSinfo VKey="234818" SVKey="234818r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not have the telnet-server package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_password" ownerid="SLES-15-010190" disa="213" severity="high">
- <VMSinfo VKey="234819" SVKey="234819r6221" VRelease="r622137"/>
- <title text="SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
- </overlay>
- <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="SLES-15-010200" disa="213" severity="high">
- <VMSinfo VKey="234820" SVKey="234820r6221" VRelease="r622137"/>
- <title text="SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="SLES-15-010220" disa="2314" severity="medium">
- <VMSinfo VKey="234821" SVKey="234821r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_unique_id" ownerid="SLES-15-010230" disa="804" severity="medium">
- <VMSinfo VKey="234822" SVKey="234822r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="SLES-15-010240" disa="1958" severity="medium">
- <VMSinfo VKey="234823" SVKey="234823r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must disable the file system automounter unless required."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="SLES-15-010250" disa="803" severity="medium">
- <VMSinfo VKey="234824" SVKey="234824r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (system-auth)."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="SLES-15-010260" disa="803" severity="medium">
- <VMSinfo VKey="234825" SVKey="234825r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="SLES-15-010270" disa="3123" severity="medium">
- <VMSinfo VKey="234826" SVKey="234826r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="SLES-15-010280" disa="2361" severity="medium">
- <VMSinfo VKey="234827" SVKey="234827r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must be configured with a timeout interval."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_sticky_bits" ownerid="SLES-15-010300" disa="1090" severity="medium">
- <VMSinfo VKey="234828" SVKey="234828r6221" VRelease="r622137"/>
- <title text="The sticky bit must be set on all SUSE operating system world-writable directories."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_syncookies" ownerid="SLES-15-010310" disa="1095" severity="medium">
- <VMSinfo VKey="234829" SVKey="234829r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be configured to use TCP syncookies."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_set_keepalive_0" ownerid="SLES-15-010320" disa="2361" severity="medium">
- <VMSinfo VKey="234830" SVKey="234830r6221" VRelease="r622137"/>
- <title text="The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010330" disa="2475" severity="medium">
- <VMSinfo VKey="234831" SVKey="234831r6221" VRelease="r622137"/>
- <title text="All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010340" disa="1312" severity="medium">
- <VMSinfo VKey="234832" SVKey="234832r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_var_log_messages" ownerid="SLES-15-010350" disa="1314" severity="medium">
- <VMSinfo VKey="234833" SVKey="234833r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must prevent unauthorized users from accessing system error messages."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010351" disa="1499" severity="medium">
- <VMSinfo VKey="234834" SVKey="234834r6221" VRelease="r622137"/>
- <title text="The SUSE operating system library files must have mode 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010352" disa="1499" severity="medium">
- <VMSinfo VKey="234835" SVKey="234835r6221" VRelease="r622137"/>
- <title text="The SUSE operating system library directories must have mode 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010353" disa="1499" severity="medium">
- <VMSinfo VKey="234836" SVKey="234836r6221" VRelease="r622137"/>
- <title text="The SUSE operating system library files must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010354" disa="1499" severity="medium">
- <VMSinfo VKey="234837" SVKey="234837r6221" VRelease="r622137"/>
- <title text="The SUSE operating system library directories must be owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010355" disa="1499" severity="medium">
- <VMSinfo VKey="234838" SVKey="234838r6221" VRelease="r622137"/>
- <title text="The SUSE operating system library files must be group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010356" disa="1499" severity="medium">
- <VMSinfo VKey="234839" SVKey="234839r6221" VRelease="r622137"/>
- <title text="The SUSE operating system library directories must be group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010357" disa="1499" severity="medium">
- <VMSinfo VKey="234840" SVKey="234840r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have system commands set to a mode of 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010358" disa="1499" severity="medium">
- <VMSinfo VKey="234841" SVKey="234841r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010359" disa="1499" severity="medium">
- <VMSinfo VKey="234842" SVKey="234842r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have system commands owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010360" disa="1499" severity="medium">
- <VMSinfo VKey="234843" SVKey="234843r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have directories that contain system commands owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010361" disa="1499" severity="medium">
- <VMSinfo VKey="234844" SVKey="234844r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have system commands group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010362" disa="1499" severity="medium">
- <VMSinfo VKey="234845" SVKey="234845r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have directories that contain system commands group-owned by root."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010370" disa="2322" severity="medium">
- <VMSinfo VKey="234846" SVKey="234846r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="SLES-15-010380" disa="2418" severity="medium">
- <VMSinfo VKey="234847" SVKey="234847r6221" VRelease="r622137"/>
- <title text="The SUSE operating system wireless network adapters must be disabled unless approved and documented."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010390" disa="1774" severity="medium">
- <VMSinfo VKey="234848" SVKey="234848r6221" VRelease="r622137"/>
- <title text="SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control."/>
- </overlay>
- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="SLES-15-010400" disa="1891" severity="medium">
- <VMSinfo VKey="234849" SVKey="234849r6221" VRelease="r622137"/>
- <title text="The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010410" disa="1890" severity="low">
- <VMSinfo VKey="234850" SVKey="234850r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_aide_installed" ownerid="SLES-15-010420" disa="2699" severity="medium">
- <VMSinfo VKey="234851" SVKey="234851r6221" VRelease="r622137"/>
- <title text="Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly."/>
- </overlay>
- <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="SLES-15-010430" disa="1749" severity="high">
- <VMSinfo VKey="234852" SVKey="234852r6221" VRelease="r622137"/>
- <title text="The SUSE operating system tool zypper must have gpgcheck enabled."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="SLES-15-010450" disa="2038" severity="high">
- <VMSinfo VKey="234853" SVKey="234853r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges."/>
- </overlay>
- <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="SLES-15-010460" disa="1954" severity="medium">
- <VMSinfo VKey="234854" SVKey="234854r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have the packages required for multifactor authentication to be installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="SLES-15-010470" disa="1948" severity="medium">
- <VMSinfo VKey="234855" SVKey="234855r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must implement certificate status checking for multifactor authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="SLES-15-010480" disa="1958" severity="medium">
- <VMSinfo VKey="234856" SVKey="234856r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must disable the USB mass storage kernel module."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_memcache_timeout" ownerid="SLES-15-010490" disa="2007" severity="medium">
- <VMSinfo VKey="234857" SVKey="234857r6221" VRelease="r622137"/>
- <title text="If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day."/>
- </overlay>
- <overlay owner="disastig" ruleid="sssd_offline_cred_expiration" ownerid="SLES-15-010500" disa="2007" severity="medium">
- <VMSinfo VKey="234858" SVKey="234858r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010510" disa="2450" severity="high">
- <VMSinfo VKey="234859" SVKey="234859r6221" VRelease="r622137"/>
- <title text="FIPS 140-2 mode must be enabled on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="SLES-15-010530" disa="2422" severity="high">
- <VMSinfo VKey="234860" SVKey="234860r6221" VRelease="r622137"/>
- <title text="All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_kptr_restrict" ownerid="SLES-15-010540" disa="2824" severity="medium">
- <VMSinfo VKey="234861" SVKey="234861r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="SLES-15-010550" disa="2824" severity="medium">
- <VMSinfo VKey="234862" SVKey="234862r6221" VRelease="r622137"/>
- <title text="Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution."/>
- </overlay>
- <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="SLES-15-010560" disa="2617" severity="medium">
- <VMSinfo VKey="234863" SVKey="234863r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must remove all outdated software components after updated versions have been installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-010570" disa="2702" severity="medium">
- <VMSinfo VKey="234864" SVKey="234864r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions."/>
- </overlay>
- <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="SLES-15-010580" disa="1851" severity="medium">
- <VMSinfo VKey="234865" SVKey="234865r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_temp_expire_date" ownerid="SLES-15-020000" disa="16" severity="medium">
- <VMSinfo VKey="234866" SVKey="234866r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must provision temporary accounts with an expiration date for 72 hours."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_tally2" ownerid="SLES-15-020010" disa="2238" severity="medium">
- <VMSinfo VKey="234867" SVKey="234867r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must lock an account after three consecutive invalid access attempts."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="SLES-15-020020" disa="54" severity="low">
- <VMSinfo VKey="234868" SVKey="234868r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
- </overlay>
- <overlay owner="disastig" ruleid="smartcard_pam_enabled" ownerid="SLES-15-020030" disa="768" severity="medium">
- <VMSinfo VKey="234869" SVKey="234869r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020040" disa="770" severity="medium">
- <VMSinfo VKey="234870" SVKey="234870r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must deny direct logons to the root account using remote access via SSH."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="SLES-15-020050" disa="795" severity="medium">
- <VMSinfo VKey="234871" SVKey="234871r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration."/>
- </overlay>
- <overlay owner="disastig" ruleid="account_emergency_admin" ownerid="SLES-15-020060" disa="1682" severity="medium">
- <VMSinfo VKey="234872" SVKey="234872r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must never automatically remove or disable emergency administrator accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="display_login_attempts" ownerid="SLES-15-020080" disa="366" severity="low">
- <VMSinfo VKey="234873" SVKey="234873r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display the date and time of the last successful account logon upon logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_authorized_local_users" ownerid="SLES-15-020090" disa="366" severity="medium">
- <VMSinfo VKey="234874" SVKey="234874r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not have unnecessary accounts."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020091" disa="366" severity="medium">
- <VMSinfo VKey="234875" SVKey="234875r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not have unnecessary account capabilities."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020100" disa="366" severity="high">
- <VMSinfo VKey="234876" SVKey="234876r6221" VRelease="r622137"/>
- <title text="The SUSE operating system root account must be the only account with unrestricted access to the system."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020101" disa="366" severity="medium">
- <VMSinfo VKey="234877" SVKey="234877r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must restrict privilege elevation to authorized personnel."/>
- </overlay>
- <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="SLES-15-020102" disa="2038" severity="medium">
- <VMSinfo VKey="234878" SVKey="234878r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must require re-authentication when using the &quot;sudo&quot; command."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-020103" disa="366" severity="medium">
- <VMSinfo VKey="234879" SVKey="234879r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must use the invoking user's password for privilege escalation when using &quot;sudo&quot;."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="SLES-15-020110" disa="366" severity="medium">
- <VMSinfo VKey="234880" SVKey="234880r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="SLES-15-020120" disa="366" severity="medium">
- <VMSinfo VKey="234881" SVKey="234881r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020130" disa="192" severity="medium">
- <VMSinfo VKey="234882" SVKey="234882r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one uppercase character."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020140" disa="193" severity="medium">
- <VMSinfo VKey="234883" SVKey="234883r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one lowercase character."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_dcredit" ownerid="SLES-15-020150" disa="194" severity="medium">
- <VMSinfo VKey="234884" SVKey="234884r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one numeric character."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020160" disa="195" severity="medium">
- <VMSinfo VKey="234885" SVKey="234885r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed."/>
- </overlay>
- <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="SLES-15-020170" disa="196" severity="medium">
- <VMSinfo VKey="234886" SVKey="234886r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_all_shadowed_sha512" ownerid="SLES-15-020180" disa="803" severity="medium">
- <VMSinfo VKey="234887" SVKey="234887r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020190" disa="803" severity="medium">
- <VMSinfo VKey="234888" SVKey="234888r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020200" disa="198" severity="medium">
- <VMSinfo VKey="234889" SVKey="234889r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day)."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020210" disa="198" severity="medium">
- <VMSinfo VKey="234890" SVKey="234890r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day)."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="SLES-15-020220" disa="199" severity="medium">
- <VMSinfo VKey="234891" SVKey="234891r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="SLES-15-020230" disa="199" severity="medium">
- <VMSinfo VKey="234892" SVKey="234892r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ user passwords with a maximum lifetime of 60 days."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_etc_security_opasswd" ownerid="SLES-15-020240" disa="200" severity="medium">
- <VMSinfo VKey="234893" SVKey="234893r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ a password history file."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-020250" disa="200" severity="medium">
- <VMSinfo VKey="234894" SVKey="234894r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not allow passwords to be reused for a minimum of five generations."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_minlen" ownerid="SLES-15-020260" disa="205" severity="medium">
- <VMSinfo VKey="234895" SVKey="234895r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must employ passwords with a minimum of 15 characters."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_ocredit" ownerid="SLES-15-020270" disa="1619" severity="medium">
- <VMSinfo VKey="234896" SVKey="234896r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must enforce passwords that contain at least one special character."/>
- </overlay>
- <overlay owner="disastig" ruleid="cracklib_accounts_password_pam_retry" ownerid="SLES-15-020290" disa="366" severity="medium">
- <VMSinfo VKey="234897" SVKey="234897r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must prevent the use of dictionary words for passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="SLES-15-020300" disa="366" severity="high">
- <VMSinfo VKey="234898" SVKey="234898r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not be configured to allow blank or null passwords."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="SLES-15-030000" disa="1686" severity="medium">
- <VMSinfo VKey="234899" SVKey="234899r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="SLES-15-030010" disa="172" severity="medium">
- <VMSinfo VKey="234900" SVKey="234900r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="SLES-15-030020" disa="2132" severity="medium">
- <VMSinfo VKey="234901" SVKey="234901r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="SLES-15-030030" disa="1403" severity="medium">
- <VMSinfo VKey="234902" SVKey="234902r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="SLES-15-030040" disa="2130" severity="medium">
- <VMSinfo VKey="234903" SVKey="234903r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="SLES-15-030050" disa="2884" severity="medium">
- <VMSinfo VKey="234904" SVKey="234904r6221" VRelease="r622137"/>
- <title text="SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="SLES-15-030060" disa="2884" severity="low">
- <VMSinfo VKey="234905" SVKey="234905r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the ssh-keysign command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="SLES-15-030070" disa="2884" severity="medium">
- <VMSinfo VKey="234906" SVKey="234906r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the passwd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="SLES-15-030080" disa="2884" severity="low">
- <VMSinfo VKey="234907" SVKey="234907r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the gpasswd command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="SLES-15-030090" disa="2884" severity="low">
- <VMSinfo VKey="234908" SVKey="234908r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the newgrp command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="SLES-15-030100" disa="2884" severity="low">
- <VMSinfo VKey="234909" SVKey="234909r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for a uses of the chsh command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030110" disa="2884" severity="medium">
- <VMSinfo VKey="234910" SVKey="234910r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="SLES-15-030120" disa="2884" severity="medium">
- <VMSinfo VKey="234911" SVKey="234911r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chage command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="SLES-15-030130" disa="2884" severity="medium">
- <VMSinfo VKey="234912" SVKey="234912r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the crontab command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030140" disa="2884" severity="medium">
- <VMSinfo VKey="234913" SVKey="234913r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030150" disa="2884" severity="medium">
- <VMSinfo VKey="234914" SVKey="234914r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the open system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030160" disa="2884" severity="medium">
- <VMSinfo VKey="234915" SVKey="234915r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the creat system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030170" disa="2884" severity="medium">
- <VMSinfo VKey="234916" SVKey="234916r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the openat system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030180" disa="2884" severity="medium">
- <VMSinfo VKey="234917" SVKey="234917r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the open_by_handle_at system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030190" disa="2884" severity="medium">
- <VMSinfo VKey="234918" SVKey="234918r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the removexattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030200" disa="2884" severity="medium">
- <VMSinfo VKey="234919" SVKey="234919r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the lremovexattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030210" disa="2884" severity="medium">
- <VMSinfo VKey="234920" SVKey="234920r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fremovexattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030220" disa="2884" severity="medium">
- <VMSinfo VKey="234921" SVKey="234921r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the setxattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030230" disa="2884" severity="medium">
- <VMSinfo VKey="234922" SVKey="234922r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fsetxattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030240" disa="2884" severity="medium">
- <VMSinfo VKey="234923" SVKey="234923r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the lsetxattr system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030250" disa="2884" severity="medium">
- <VMSinfo VKey="234924" SVKey="234924r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chown system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030260" disa="2884" severity="medium">
- <VMSinfo VKey="234925" SVKey="234925r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchown system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030270" disa="2884" severity="medium">
- <VMSinfo VKey="234926" SVKey="234926r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the lchown system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030280" disa="2884" severity="medium">
- <VMSinfo VKey="234927" SVKey="234927r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchownat system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030290" disa="2884" severity="medium">
- <VMSinfo VKey="234928" SVKey="234928r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chmod system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030300" disa="2884" severity="medium">
- <VMSinfo VKey="234929" SVKey="234929r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchmod system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030310" disa="2884" severity="medium">
- <VMSinfo VKey="234930" SVKey="234930r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the fchmodat system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030320" disa="2884" severity="medium">
- <VMSinfo VKey="234931" SVKey="234931r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the ftruncate system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030330" disa="2884" severity="medium">
- <VMSinfo VKey="234932" SVKey="234932r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the sudoedit command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chfn" ownerid="SLES-15-030340" disa="2884" severity="low">
- <VMSinfo VKey="234933" SVKey="234933r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chfn command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030350" disa="2884" severity="low">
- <VMSinfo VKey="234934" SVKey="234934r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the mount system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030360" disa="2884" severity="low">
- <VMSinfo VKey="234935" SVKey="234935r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the umount system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_agent" ownerid="SLES-15-030370" disa="2884" severity="low">
- <VMSinfo VKey="234936" SVKey="234936r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the ssh-agent command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030380" disa="2884" severity="medium">
- <VMSinfo VKey="234937" SVKey="234937r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the insmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030390" disa="2884" severity="medium">
- <VMSinfo VKey="234938" SVKey="234938r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the rmmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030400" disa="2884" severity="medium">
- <VMSinfo VKey="234939" SVKey="234939r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the modprobe command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_kmod" ownerid="SLES-15-030410" disa="2884" severity="medium">
- <VMSinfo VKey="234940" SVKey="234940r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the kmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="SLES-15-030420" disa="2884" severity="medium">
- <VMSinfo VKey="234941" SVKey="234941r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chmod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_setfacl" ownerid="SLES-15-030430" disa="2884" severity="medium">
- <VMSinfo VKey="234942" SVKey="234942r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the setfacl command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_chacl" ownerid="SLES-15-030440" disa="2884" severity="medium">
- <VMSinfo VKey="234943" SVKey="234943r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chacl command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030450" disa="2884" severity="medium">
- <VMSinfo VKey="234944" SVKey="234944r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the chcon command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_execution_rm" ownerid="SLES-15-030460" disa="2884" severity="medium">
- <VMSinfo VKey="234945" SVKey="234945r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the rm command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_tallylog" ownerid="SLES-15-030470" disa="2884" severity="medium">
- <VMSinfo VKey="234946" SVKey="234946r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="SLES-15-030480" disa="2884" severity="medium">
- <VMSinfo VKey="234947" SVKey="234947r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all modifications to the lastlog file."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passmass" ownerid="SLES-15-030490" disa="2884" severity="medium">
- <VMSinfo VKey="234948" SVKey="234948r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the passmass command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_usermod" ownerid="SLES-15-030500" disa="2884" severity="medium">
- <VMSinfo VKey="234949" SVKey="234949r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the usermod command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="SLES-15-030510" disa="2884" severity="medium">
- <VMSinfo VKey="234950" SVKey="234950r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030520" disa="2884" severity="medium">
- <VMSinfo VKey="234951" SVKey="234951r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the delete_module system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030530" disa="2884" severity="medium">
- <VMSinfo VKey="234952" SVKey="234952r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the finit_module system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030540" disa="2884" severity="medium">
- <VMSinfo VKey="234953" SVKey="234953r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the init_module system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="SLES-15-030550" disa="2884" severity="medium">
- <VMSinfo VKey="234954" SVKey="234954r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the su command."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="SLES-15-030560" disa="2884" severity="low">
- <VMSinfo VKey="234955" SVKey="234955r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the sudo command."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="SLES-15-030570" disa="139" severity="medium">
- <VMSinfo VKey="234956" SVKey="234956r6221" VRelease="r622137"/>
- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event."/>
- </overlay>
- <overlay owner="disastig" ruleid="postfix_client_configure_mail_alias" ownerid="SLES-15-030580" disa="139" severity="medium">
- <VMSinfo VKey="234957" SVKey="234957r6221" VRelease="r622137"/>
- <title text="The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_disk_full_action" ownerid="SLES-15-030590" disa="140" severity="medium">
- <VMSinfo VKey="234958" SVKey="234958r6221" VRelease="r622137"/>
- <title text="The SUSE operating system audit system must take appropriate action when the audit storage volume is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="permissions_local_var_log_audit" ownerid="SLES-15-030600" disa="164" severity="medium">
- <VMSinfo VKey="234959" SVKey="234959r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must protect audit rules from unauthorized modification."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="SLES-15-030610" disa="172" severity="medium">
- <VMSinfo VKey="234960" SVKey="234960r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the truncate command."/>
- </overlay>
- <overlay owner="disastig" ruleid="permissions_local_audit_binaries" ownerid="SLES-15-030620" disa="1495" severity="medium">
- <VMSinfo VKey="234961" SVKey="234961r6221" VRelease="r622137"/>
- <title text="The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_check_audit_tools" ownerid="SLES-15-030630" disa="1496" severity="medium">
- <VMSinfo VKey="234962" SVKey="234962r6221" VRelease="r622137"/>
- <title text="The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools."/>
- </overlay>
- <overlay owner="disastig" ruleid="audit_rules_suid_privilege_function" ownerid="SLES-15-030640" disa="1875" severity="low">
- <VMSinfo VKey="234963" SVKey="234963r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the privileged functions."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_audit_installed" ownerid="SLES-15-030650" disa="1878" severity="medium">
- <VMSinfo VKey="234964" SVKey="234964r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must have the auditing package installed."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="SLES-15-030660" disa="1849" severity="medium">
- <VMSinfo VKey="234965" SVKey="234965r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility."/>
- </overlay>
- <overlay owner="disastig" ruleid="package_audit-audispd-plugins_installed" ownerid="SLES-15-030670" disa="1851" severity="medium">
- <VMSinfo VKey="234966" SVKey="234966r6221" VRelease="r622137"/>
- <title text="The audit-audispd-plugins must be installed on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="SLES-15-030680" disa="1851" severity="low">
- <VMSinfo VKey="234967" SVKey="234967r6221" VRelease="r622137"/>
- <title text="The SUSE operating system audit event multiplexor must be configured to use Kerberos."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="SLES-15-030690" disa="1851" severity="low">
- <VMSinfo VKey="234968" SVKey="234968r6221" VRelease="r622137"/>
- <title text="Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="SLES-15-030700" disa="1855" severity="medium">
- <VMSinfo VKey="234969" SVKey="234969r6221" VRelease="r622137"/>
- <title text="The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030710" disa="172" severity="medium">
- <VMSinfo VKey="234970" SVKey="234970r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the rename system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030720" disa="172" severity="medium">
- <VMSinfo VKey="234971" SVKey="234971r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the renameat system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030730" disa="172" severity="medium">
- <VMSinfo VKey="234972" SVKey="234972r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the renameat2 system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030740" disa="172" severity="medium">
- <VMSinfo VKey="234973" SVKey="234973r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the unlink system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030750" disa="172" severity="medium">
- <VMSinfo VKey="234974" SVKey="234974r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for all uses of the unlinkat system call."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030760" disa="172" severity="medium">
- <VMSinfo VKey="234975" SVKey="234975r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for the /run/utmp file."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030770" disa="172" severity="medium">
- <VMSinfo VKey="234976" SVKey="234976r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for the /var/log/wtmp file."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-030780" disa="172" severity="medium">
- <VMSinfo VKey="234977" SVKey="234977r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must generate audit records for the /var/log/btmp file."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="SLES-15-030790" disa="1851" severity="medium">
- <VMSinfo VKey="234978" SVKey="234978r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must off-load audit records onto a different system or media from the system being audited."/>
- </overlay>
- <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="SLES-15-030800" disa="1851" severity="medium">
- <VMSinfo VKey="234979" SVKey="234979r6221" VRelease="r622137"/>
- <title text="Audispd must take appropriate action when the SUSE operating system audit storage is full."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="SLES-15-030810" disa="366" severity="low">
- <VMSinfo VKey="234980" SVKey="234980r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must use a separate file system for the system audit data path."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-030820" disa="366" severity="medium">
- <VMSinfo VKey="234981" SVKey="234981r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not disable syscall auditing."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_passwords_pam_faildelay_delay" ownerid="SLES-15-040000" disa="366" severity="medium">
- <VMSinfo VKey="234982" SVKey="234982r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-040010" disa="366" severity="medium">
- <VMSinfo VKey="234983" SVKey="234983r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="SLES-15-040020" disa="366" severity="high">
- <VMSinfo VKey="234984" SVKey="234984r6221" VRelease="r622137"/>
- <title text="There must be no .shosts files on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_host_based_files" ownerid="SLES-15-040030" disa="366" severity="high">
- <VMSinfo VKey="234985" SVKey="234985r6221" VRelease="r622137"/>
- <title text="There must be no shosts.equiv files on the SUSE operating system."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="SLES-15-040040" disa="366" severity="low">
- <VMSinfo VKey="234986" SVKey="234986r6221" VRelease="r622137"/>
- <title text="The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs)."/>
- </overlay>
- <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="SLES-15-040050" disa="366" severity="low">
- <VMSinfo VKey="234987" SVKey="234987r6221" VRelease="r622137"/>
- <title text="The SUSE operating system file integrity tool must be configured to verify extended attributes."/>
- </overlay>
- <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="SLES-15-040060" disa="366" severity="high">
- <VMSinfo VKey="234988" SVKey="234988r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040061" disa="366" severity="high">
- <VMSinfo VKey="234989" SVKey="234989r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040062" disa="366" severity="high">
- <VMSinfo VKey="234990" SVKey="234990r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_defined" ownerid="SLES-15-040070" disa="366" severity="medium">
- <VMSinfo VKey="234991" SVKey="234991r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="SLES-15-040080" disa="366" severity="medium">
- <VMSinfo VKey="234992" SVKey="234992r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="SLES-15-040090" disa="366" severity="medium">
- <VMSinfo VKey="234993" SVKey="234993r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local interactive user home directories must have mode 0750 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040100" disa="366" severity="medium">
- <VMSinfo VKey="234994" SVKey="234994r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="SLES-15-040110" disa="366" severity="medium">
- <VMSinfo VKey="234995" SVKey="234995r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local initialization files must have mode 0740 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="SLES-15-040120" disa="366" severity="medium">
- <VMSinfo VKey="234996" SVKey="234996r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="SLES-15-040130" disa="366" severity="medium">
- <VMSinfo VKey="234997" SVKey="234997r6221" VRelease="r622137"/>
- <title text="All SUSE operating system local initialization files must not execute world-writable programs."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="SLES-15-040140" disa="366" severity="medium">
- <VMSinfo VKey="234998" SVKey="234998r6221" VRelease="r622137"/>
- <title text="SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="SLES-15-040150" disa="366" severity="medium">
- <VMSinfo VKey="234999" SVKey="234999r6221" VRelease="r622137"/>
- <title text="SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="SLES-15-040160" disa="366" severity="medium">
- <VMSinfo VKey="235000" SVKey="235000r6221" VRelease="r622137"/>
- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="SLES-15-040170" disa="366" severity="medium">
- <VMSinfo VKey="235001" SVKey="235001r6221" VRelease="r622137"/>
- <title text="SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed."/>
- </overlay>
- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="SLES-15-040180" disa="366" severity="medium">
- <VMSinfo VKey="235002" SVKey="235002r6221" VRelease="r622137"/>
- <title text="All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group."/>
- </overlay>
- <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="SLES-15-040190" disa="366" severity="medium">
- <VMSinfo VKey="235003" SVKey="235003r6221" VRelease="r622137"/>
- <title text="SUSE operating system kernel core dumps must be disabled unless needed."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_home" ownerid="SLES-15-040200" disa="366" severity="low">
- <VMSinfo VKey="235004" SVKey="235004r6221" VRelease="r622137"/>
- <title text="A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent)."/>
- </overlay>
- <overlay owner="disastig" ruleid="partition_for_var" ownerid="SLES-15-040210" disa="366" severity="low">
- <VMSinfo VKey="235005" SVKey="235005r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must use a separate file system for /var."/>
- </overlay>
- <overlay owner="disastig" ruleid="pam_disable_automatic_configuration" ownerid="SLES-15-040220" disa="366" severity="medium">
- <VMSinfo VKey="235006" SVKey="235006r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="SLES-15-040230" disa="366" severity="medium">
- <VMSinfo VKey="235007" SVKey="235007r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="SLES-15-040240" disa="366" severity="medium">
- <VMSinfo VKey="235008" SVKey="235008r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="SLES-15-040250" disa="366" severity="medium">
- <VMSinfo VKey="235009" SVKey="235009r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="SLES-15-040260" disa="366" severity="medium">
- <VMSinfo VKey="235010" SVKey="235010r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="SLES-15-040270" disa="366" severity="medium">
- <VMSinfo VKey="235011" SVKey="235011r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must use privilege separation."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="SLES-15-040280" disa="366" severity="medium">
- <VMSinfo VKey="235012" SVKey="235012r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040290" disa="366" severity="medium">
- <VMSinfo VKey="235013" SVKey="235013r6221" VRelease="r622137"/>
- <title text="The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="SLES-15-040300" disa="366" severity="medium">
- <VMSinfo VKey="235014" SVKey="235014r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="SLES-15-040310" disa="366" severity="medium">
- <VMSinfo VKey="235015" SVKey="235015r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="SLES-15-040320" disa="366" severity="medium">
- <VMSinfo VKey="235016" SVKey="235016r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040321" disa="366" severity="medium">
- <VMSinfo VKey="235017" SVKey="235017r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="SLES-15-040330" disa="366" severity="medium">
- <VMSinfo VKey="235018" SVKey="235018r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="SLES-15-040340" disa="366" severity="medium">
- <VMSinfo VKey="235019" SVKey="235019r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040341" disa="366" severity="medium">
- <VMSinfo VKey="235020" SVKey="235020r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_default_accept_source_route" ownerid="SLES-15-040350" disa="366" severity="medium">
- <VMSinfo VKey="235021" SVKey="235021r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="SLES-15-040360" disa="366" severity="medium">
- <VMSinfo VKey="235022" SVKey="235022r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default."/>
- </overlay>
- <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="SLES-15-040370" disa="366" severity="medium">
- <VMSinfo VKey="235023" SVKey="235023r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040380" disa="366" severity="medium">
- <VMSinfo VKey="235024" SVKey="235024r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040381" disa="366" severity="medium">
- <VMSinfo VKey="235025" SVKey="235025r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="SLES-15-040382" disa="366" severity="medium">
- <VMSinfo VKey="235026" SVKey="235026r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router."/>
- </overlay>
- <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="SLES-15-040390" disa="366" severity="medium">
- <VMSinfo VKey="235027" SVKey="235027r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented."/>
- </overlay>
- <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="SLES-15-040400" disa="1230" severity="medium">
- <VMSinfo VKey="235028" SVKey="235028r6221" VRelease="r622137"/>
- <title text="All SUSE operating system files and directories must have a valid owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="SLES-15-040410" disa="1230" severity="medium">
- <VMSinfo VKey="235029" SVKey="235029r6221" VRelease="r622137"/>
- <title text="All SUSE operating system files and directories must have a valid group owner."/>
- </overlay>
- <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="SLES-15-040420" disa="366" severity="medium">
- <VMSinfo VKey="235030" SVKey="235030r6221" VRelease="r622137"/>
- <title text="The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-040430" disa="366" severity="high">
- <VMSinfo VKey="235031" SVKey="235031r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI)."/>
- </overlay>
- <overlay owner="disastig" ruleid="XXXX" ownerid="SLES-15-040440" disa="366" severity="high">
- <VMSinfo VKey="235032" SVKey="235032r6221" VRelease="r622137"/>
- <title text="The SUSE operating system must not allow unattended or automatic logon via SSH."/>
- </overlay>
-</overlays>
diff --git a/products/vsel/overlays/stig_overlay.xml b/products/vsel/overlays/stig_overlay.xml
deleted file mode 100644
index 0f94e305d86..00000000000
--- a/products/vsel/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,159 +0,0 @@
-<?xml version="1.0"?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay owner="disastig" ruleid="web_client_disabled" ownerid="DTAVSEL-000" disa="1813" severity="medium">
- <VMSinfo VKey="62791" SVKey="77281" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux Web interface must be disabled unless the system is on a segregated network.</title>
- </overlay>
- <overlay owner="disastig" ruleid="dats_updated" ownerid="DTAVSEL-001" disa="1240" severity="high">
- <VMSinfo VKey="63071" SVKey="77561" VRelease="1" />
- <title>The anti-virus signature file age must not exceed 7 days.</title>
- </overlay>
- <overlay owner="disastig" ruleid="dats_auto_update" ownerid="DTAVSEL-002" disa="1240" severity="medium">
- <VMSinfo VKey="63073" SVKey="77563" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_enabled" ownerid="DTAVSEL-003" disa="1243" severity="high">
- <VMSinfo VKey="63075" SVKey="77565" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_decompArchive" ownerid="DTAVSEL-004" disa="1243" severity="medium">
- <VMSinfo VKey="63077" SVKey="77567" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_heuristicAnalysis" ownerid="DTAVSEL-005" disa="1243" severity="medium">
- <VMSinfo VKey="63079" SVKey="77569" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_macroAnalysis" ownerid="DTAVSEL-006" disa="1243" severity="medium">
- <VMSinfo VKey="63081" SVKey="77571" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_program" ownerid="DTAVSEL-007" disa="1243" severity="medium">
- <VMSinfo VKey="63083" SVKey="77573" VRelease="1" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_scanOnWrite" ownerid="DTAVSEL-008" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_scanOnRead" ownerid="DTAVSEL-009" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_allFiles" ownerid="DTAVSEL-010" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_scanMaxTmo" ownerid="DTAVSEL-011" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_exclusions" ownerid="DTAVSEL-012" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_action_app_primary" ownerid="DTAVSEL-013" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_action_app_secondary" ownerid="DTAVSEL-014" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_action_default_primary" ownerid="DTAVSEL-015" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when programs and jokes are found.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_action_default_secondary" ownerid="DTAVSEL-016" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when programs and jokes are found.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_action_error" ownerid="DTAVSEL-017" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if an error occurs during scanning.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_action_timeout" ownerid="DTAVSEL-018" disa="1243" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out.</title>
- </overlay>
- <overlay owner="disastig" ruleid="oas_scanNWFiles" ownerid="DTAVSEL-019" disa="1242" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_enabled" ownerid="DTAVSEL-100" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_decompArchive" ownerid="DTAVSEL-101" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_heuristicAnalysis" ownerid="DTAVSEL-102" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_macroAnalysis" ownerid="DTAVSEL-103" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_program" ownerid="DTAVSEL-104" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_allFiles" ownerid="DTAVSEL-105" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_action_app_primary" ownerid="DTAVSEL-106" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_action_app_secondary" ownerid="DTAVSEL-107" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_exclusions" ownerid="DTAVSEL-108" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_action_default_primary" ownerid="DTAVSEL-110" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_action_default_secondary" ownerid="DTAVSEL-111" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_mime" ownerid="DTAVSEL-112" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_scanNWFiles_local" ownerid="DTAVSEL-113" disa="1241" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories.</title>
- </overlay>
- <overlay owner="disastig" ruleid="ods_scanNWFiles" ownerid="DTAVSEL-114" disa="1242" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.</title>
- </overlay>
- <overlay owner="disastig" ruleid="scanned_media" ownerid="DTAVSEL-200" disa="870" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.</title>
- </overlay>
- <overlay owner="disastig" ruleid="updates_source" ownerid="DTAVSEL-201" disa="1749" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source.</title>
- </overlay>
- <overlay owner="disastig" ruleid="restricted_user" ownerid="DTAVSEL-202" disa="2235" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role.</title>
- </overlay>
- <overlay owner="disastig" ruleid="virus_notification" ownerid="DTAVSEL-205" disa="1240" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>SMTP email notification must be enabled to ensure administrators are notified of out of date DAT, detected malware and error codes.</title>
- </overlay>
- <overlay owner="disastig" ruleid="web_client_firewalled" ownerid="DTAVSEL-301" disa="1813" severity="medium">
- <VMSinfo VKey="" SVKey="" VRelease="" />
- <title>Access to the McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be enforced by firewall rules.</title>
- </overlay>
-</overlays>
\ No newline at end of file
From c0f58c6c4be7e62795e5b6ef39d6ecf0e92abf9e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 18:07:38 +0200
Subject: [PATCH 06/10] Update DISA STIG Firefox manual benchmark file.
---
.../disa-stig-firefox-v4r11-xccdf-manual.xml | 159 ------------------
.../disa-stig-firefox-v5r1-xccdf-manual.xml | 120 +++++++++++++
2 files changed, 120 insertions(+), 159 deletions(-)
delete mode 100644 shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml
create mode 100644 shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml
diff --git a/shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml b/shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml
deleted file mode 100644
index ed93f12474b..00000000000
--- a/shared/references/disa-stig-firefox-v4r11-xccdf-manual.xml
+++ /dev/null
@@ -1,159 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" id="Firefox" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2015-03-26">accepted</status><title>Mozilla Firefox</title><notice id="terms-of-use" xml:lang="en"></notice><reference href="http://iase.disa.mil"><dc:publisher>DISA, Field Security Operations</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 11 Benchmark Date: 24 Apr 2015</plain-text><version>4</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6318" selected="true" /><select idref="V-15767" selected="true" /><select idref="V-15768" selected="true" /><select idref="V-15770" selected="true" /><select idref="V-15771" selected="true" /><select idref="V-15772" selected="true" /><select idref="V-15773" selected="true" /><select idref="V-15774" selected="true" /><select idref="V-15775" selected="true" /><select idref="V-15776" selected="true" /><select idref="V-15777" selected="true" /><select idref="V-15778" selected="true" /><select idref="V-15779" selected="true" /><select idref="V-15982" selected="true" /><select idref="V-15983" selected="true" /><select idref="V-15985" selected="true" /><select idref="V-15986" selected="true" /><select idref="V-15987" selected="true" /><select idref="V-15988" selected="true" /><select idref="V-15989" selected="true" /><select idref="V-15990" selected="true" /><select idref="V-17988" selected="true" /><select idref="V-19741" selected="true" /><select idref="V-19742" selected="true" /><select idref="V-19743" selected="true" /><select idref="V-19744" selected="true" /></Profile><Group id="V-6318"><title>DTBG010-DoD Root Certificate is not installed</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-33373r1_rule" severity="medium" weight="10.0"><version>DTBG010 - FireFox</version><title>The DOD Root Certificate is not installed.</title><description>&lt;VulnDiscussion&gt;The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-5841r1_fix">Install the DOD root certificate.</fixtext><fix id="F-5841r1_fix" /><check system="C-16602r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Procedure: Use the Tools/Options/Advanced/Encryption dialog. On the Select the View Certificates button. On the Certificate Manager window, select the Authorities tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entry for the DoD Root CA 2.
-If there is an entry for the DoD Root CA 2, select the entry and then the View button. On the Certificate Viewer window, determine the value of the MD5 Fingerprint field.
-
-Criteria:
-If there is no entry for the DoD Root CA 2, then this is a Finding.
-
-If the value of the MD5 Fingerprint field of the DoD Root CA 2 certificate is not:
-47:78:92:DB:8A:EC:1B:53:68:F0:1D:00:9C:34:77:5E,
-then this is a Finding.
-
-If the value of the SHA1 Fingerprint field of the DoD Root CA 2 certificate is not:
-8C:94:1B:34:EA:1E:A6:ED:9A:E2:BC:54:CF:68:72:52:B4:C9:B5:61, then this is a Finding.</check-content></check></Rule></Group><Group id="V-15767"><title>DTBF020 - FireFox PreferencesUse of SSL Version 3</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16706r3_rule" severity="medium" weight="10.0"><version>DTBF020</version><title>Firefox is configured to allow use of SSL 3.0.</title><description>&lt;VulnDiscussion&gt;DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. Firefox has this set to on by default but this is not apparent in the GUI options screen.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15956r3_fix">Set the preference "security.enable_ssl3" to "true" or “false” and lock using the Mozilla.cfg file.</fixtext><fix id="F-15956r3_fix" /><check system="C-16453r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl3" and set the value to "true" or “false” and locked.
-
-Criteria: If the value of "security.enable_ssl3" is "true" or “false”, this is not a finding. If the value is locked, this is not a finding.</check-content></check></Rule></Group><Group id="V-15768"><title>DTBF050 - FireFox Preferences Verification</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16707r1_rule" severity="medium" weight="10.0"><version>DTBF050</version><title>FireFox is configured to ask which certificate to present to a web site when a certificate is required.</title><description>&lt;VulnDiscussion&gt;When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15985r1_fix">Set the value of "security.default_personal_cert" to "Ask Every Time". Use the Mozilla.cfg file to lock the preference so users cannot change it.
-
-</fixtext><fix id="F-15985r1_fix" /><check system="C-16611r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the browser address bar. Verify Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering.
-
-Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15770"><title>DTBF100 -FireFox Preferencesauto-download actions</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16709r1_rule" severity="medium" weight="10.0"><version>DTBF100</version><title>Firefox automatically executes or downloads MIME types which are not authorized for auto-download.</title><description>&lt;VulnDiscussion&gt;The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar.
-
-When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below.
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;DCMC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15987r1_fix">Remove any unauthorized extensions from the autodownload list. </fixtext><fix id="F-15987r1_fix" /><check system="C-16614r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Use Method 1 or 2 to check if the following extensions are listed in the browser configuration: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. By default, most of these extensions will not show up on the Firefox listing.
-
-Criteria:
-
-Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column.
-
-If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension. If the extension is associated with an unauthorized application, then this is a finding.
-
-If the extension exists but is not associated with an application, then this is a finding.
-
-Method 2:
-Use the Options User Interface Applications menu to search for the prohibited extensions in the Content column of the table.
-
-If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding.
-
-If the entry exists and the "Action" is 'Save File' or 'Always Ask', then this is not a finding.
-
-If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15771"><title>DTBF105 - FireFox Preferences Shell Protocol</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16710r3_rule" severity="medium" weight="10.0"><version>DTBF105</version><title>Network shell protocol is enabled in FireFox.</title><description>&lt;VulnDiscussion&gt;Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the
-underlying system. This check verifies that the default setting has not been changed.
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15988r3_fix">Procedure: Set the value of "network.protocol-handler.external.shell" to "false" and lock using the Mozilla.cfg file.</fixtext><fix id="F-15988r3_fix" /><check system="C-16615r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Procedure: Open a browser window, type "about:config" in the address bar.
-
-Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding. </check-content></check></Rule></Group><Group id="V-15772"><title>DTBF110 - FireFox Preferences Open Confirmation</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16711r2_rule" severity="medium" weight="10.0"><version>DTBF110</version><title>Firefox not configured to prompt user before download and opening for required file types.</title><description>&lt;VulnDiscussion&gt;New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15989r2_fix">Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files. Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application rather than an add-on or plugin will not be used. (PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP)</fixtext><fix id="F-15989r2_fix" /><check system="C-16616r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Open a browser window, type "about:config" in the address bar.
-
-Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, then this is a finding:
-
-PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.</check-content></check></Rule></Group><Group id="V-15773"><title>DTBF120 - FireFox Preferences ActiveX controls</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16712r1_rule" severity="medium" weight="10.0"><version>DTBF120</version><title>FireFox plug-in for ActiveX controls is installed.</title><description>&lt;VulnDiscussion&gt;When an ActiveX control is referenced in an HTML document, MS Windows checks to see if
-the control already resides on the client machine. If not, the control can be downloaded from a
-remote web site. This provides an automated delivery method for mobile code.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15990r1_fix">Remove/uninstall the Mozilla ActiveX plugin </fixtext><fix id="F-15990r1_fix" /><check system="C-16617r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Open a browser window, type "about:plugins" in the address bar.
-
-Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15774"><title>DTBF140 - FireFox Preferences Autofill forms</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16713r1_rule" severity="medium" weight="10.0"><version>DTBF140</version><title>Firefox formfill assistance option is disabled.</title><description>&lt;VulnDiscussion&gt;In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15991r1_fix">Ensure the preference “browser.formfill.enable" is set and locked to the value of “False”.</fixtext><fix id="F-15991r1_fix" /><check system="C-16619r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15775"><title>DTBF150 - FireFox Preferences Autofill passwords</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16714r1_rule" severity="medium" weight="10.0"><version>DTBF150</version><title>Firefox is configured to autofill passwords.</title><description>&lt;VulnDiscussion&gt;While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15992r1_fix">Ensure the preference " signon.prefillForms " is set and locked to the value of “False”.</fixtext><fix id="F-15992r1_fix" /><check system="C-16620r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>In About:Config, verify that the preference name “signon.prefillForms“ is set to “false” and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15776"><title>DTBF160 - FireFox Preferences Password store</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16715r1_rule" severity="medium" weight="10.0"><version>DTBF160</version><title>FireFox is configured to use a password store with or without a master password.</title><description>&lt;VulnDiscussion&gt;Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15993r1_fix"> Ensure the preference "“signon.rememberSignons“ is set and locked to the value of “false”.</fixtext><fix id="F-15993r1_fix" /><check system="C-16621r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "About:Config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15777"><title>DTBF170 - FireFox Preferences Cookies</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16716r1_rule" severity="medium" weight="10.0"><version>DTBF170</version><title>Firefox does not clear cookies upon closing.</title><description>&lt;VulnDiscussion&gt;Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15994r1_fix">Ensure the preference "privacy.sanitize.sanitizeOnShutdown" is set and locked to the value of “true”. Also ensure the preference “privacy.sanitize.promptOnSanitize” is set and locked to “false” </fixtext><fix id="F-15994r1_fix" /><check system="C-16622r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the address bar of the browser. Verify that the preference “privacy.sanitize.sanitizeOnShutdown" is set to “true”. Also “privacy.sanitize.promptOnSanitize” must be set to “false” to prevent users from circumventing the deleting of cookies. Both settings must also be locked to prevent user changes.
-
-Criteria: If the parameter for either of the two sanitize preferences is set incorrectly, then this is a finding. If the settings are not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-15778"><title>DTBF180 - Pop-up windows</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16717r1_rule" severity="medium" weight="10.0"><version>DTBF180</version><title>FireFox is not configured to block pop-up windows.</title><description>&lt;VulnDiscussion&gt;Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15995r1_fix">Ensure the preference "dom.disable_window_open_feature.status " is set and locked to the value of “true”.</fixtext><fix id="F-15995r1_fix" /><check system="C-16623r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15779"><title>DTBF181 - JavaScript move or resize windows</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16718r1_rule" severity="medium" weight="10.0"><version>DTBF181</version><title>FireFox is configured to allow JavaScript to move or resize windows.
-</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browsers appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15996r1_fix">Ensure the preference "dom.disable_window_move_resize" is set and locked to the value of “true”.</fixtext><fix id="F-15996r1_fix" /><check system="C-16624r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15982"><title>DTBF010 - Firefox Preferences - SSL 2.0 Protocol</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16924r2_rule" severity="medium" weight="10.0"><version>DTBF010</version><title>The Firefox SSLV2 parameter is configured to allow use of SSL 2.0.</title><description>&lt;VulnDiscussion&gt;Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs. SSL 2.0 setting does not appear in the Options dialog and must be disabled using About:Config.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15983r2_fix">Set the preference "security.enable_ssl2" is set to "false" and lock using the Mozilla.cfg file.
-
-</fixtext><fix id="F-15983r2_fix" /><check system="C-16609r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl2" and verify the value is set to "false".
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the value is not locked this is a finding.
-</check-content></check></Rule></Group><Group id="V-15983"><title>DTBF030 - Firefox Preferences SSL Protocols TLS</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16925r1_rule" severity="medium" weight="10.0"><version>DTBF030</version><title>Firefox is not configured to allow use of TLS 1.0.</title><description>&lt;VulnDiscussion&gt;DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15984r1_fix">Ensure the preference value of "security.enable_tls" is set to "true" and locked.
-</fixtext><fix id="F-15984r1_fix" /><check system="C-16610r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Open a browser window, type "about:config" in the address bar. Verify Preference Name "security.enable_tls" is set to the value "true" and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15985"><title>DTBF182 - JavaScript raise or lower windows</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16927r1_rule" severity="medium" weight="10.0"><version>DTBF182</version><title>Firefox is configured to allow JavaScript to raise or lower windows.</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browsers appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript.
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15997r1_fix">Ensure the preference "dom.disable_window_flip" is set and locked to the value of “true”.</fixtext><fix id="F-15997r1_fix" /><check system="C-16625r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-15986"><title>DTBF183 - JavaScript Context Menus</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16928r1_rule" severity="medium" weight="10.0"><version>DTBF183</version><title>Firefox is configured to allow JavaScript to disable or replace context menus.</title><description>&lt;VulnDiscussion&gt;A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15998r3_fix">Ensure the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".</fixtext><fix id="F-15998r3_fix" /><check system="C-16626r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the address bar of the browser. Verify that the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule><Rule id="SV-66005r1_rule" severity="medium" weight="10.0"><version>DTBF183</version><title>Firefox is must be configured to prevent JavaScript from disable or replace context menus.</title><description>&lt;VulnDiscussion&gt;A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15998r3_fix">Ensure the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".</fixtext><fix id="F-15998r3_fix" /><check system="C-16626r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the address bar of the browser. Verify that the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-15987"><title>DTBF184 - JavaScript hiding or changing status bar</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16929r1_rule" severity="medium" weight="10.0"><version>DTBF184</version><title>Firefox is configured to allow JavaScript to hide or change the status bar.</title><description>&lt;VulnDiscussion&gt;When a user visits some webpages, JavaScript can hide or make changes to the browsers appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-15999r1_fix">Ensure the preference "dom.disable_window_status_change" is set and locked to the value of “true”.</fixtext><fix id="F-15999r1_fix" /><check system="C-16627r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the address bar of the browser. Verify that the preference “dom.disable_window_status_change" is set and locked to “true”.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-15988"><title>DTBF185 -JavaScript can change the status bar text</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16930r1_rule" severity="medium" weight="10.0"><version>DTBF185</version><title>Firefox is configured to allow JavaScript to change the status bar text.</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browsers appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. Setting these preferences to true will override the author's settings and ensure that the feature is enabled and present in any popup window. This setting prevents the status bar from being hidden.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-16000r1_fix">Ensure the preference "dom.disable_window_open_feature.status" is set and locked to the value of “true”.</fixtext><fix id="F-16000r1_fix" /><check system="C-16628r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>In About:Config, verify that the preference “dom.disable_window_open_feature.status" is set and locked to “true”.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15989"><title>DTBF130 - Non-secure Page Warning</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16931r1_rule" severity="medium" weight="10.0"><version>DTBF130</version><title>Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page.</title><description>&lt;VulnDiscussion&gt;Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-16003r1_fix">Ensure the preference “security.warn_leaving_secure" is set to “true” and locked on this setting.</fixtext><fix id="F-16003r1_fix" /><check system="C-16629r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the browser window. Verify that the preference name “security.warn_leaving_secure" is set to “true” and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-15990"><title>DTBF017 - Home Page</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-16932r1_rule" severity="medium" weight="10.0"><version>DTBF017</version><title>The Firefox browser home page is not set to blank or a trusted site.</title><description>&lt;VulnDiscussion&gt;The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of script added to a previously safe site.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-20405r1_fix">Ensure the preference "browser.startup.homepage" is set and locked to blank or the URL for a .mil or other trusted website.</fixtext><fix id="F-20405r1_fix" /><check system="C-24153r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the address bar of the browser. Verify that the preference "browser.startup.homepage" is set and locked to blank or an authorized and trusted website such as "https://www.us.army.mil/suite/page/429668"
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-17988"><title>DTBF003 - Installed version of FireFox not supported</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-19509r1_rule" severity="high" weight="10.0"><version>DTBF003</version><title>Installed version of Firefox unsupported.</title><description>&lt;VulnDiscussion&gt;Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;DCMC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-18550r1_fix">Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source. </fixtext><fix id="F-18550r1_fix" /><check system="C-20617r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Method 1: View the following registry key:
-HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion
-
-Method 2: Search for the firefox.exe file using the search feature of the operating system. Examine the files properties for the product version (not the file version. For Windows OS, determine the version of the file by examining navigating to Properties/Version/Product Version. Examine for all instances of firefox.exe that are present on the endpoint.
-
-Criteria: If the version number of the firefox.exe file is less than 3.x.x, then this is a Finding.
-
-</check-content></check></Rule></Group><Group id="V-19741"><title>DTBF080-Firefox PreferencesAuto-update of Firefox</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-21887r1_rule" severity="medium" weight="10.0"><version>DTBF080</version><title>Firefox application is set to auto-update.</title><description>&lt;VulnDiscussion&gt;Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-20414r3_fix">Ensure the preference "app.update.enable" is set and locked to the value of “False” or that a trusted server is used. </fixtext><fix id="F-20414r3_fix" /><check system="C-24187r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the browser window. Verify that
-
-1. The preference name "app.update.enabled" is set to 'false' and locked or
-
-2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org).
-
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-19742"><title>DTBF090-Firefox Preferences-Addons\ plugin updates</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-21888r3_rule" severity="medium" weight="10.0"><version>DTBF090</version><title>Firefox automatically updates installed add-ons and plugins.</title><description>&lt;VulnDiscussion&gt;Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-20415r2_fix">Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file.
-</fixtext><fix id="F-20415r2_fix" /><check system="C-24188r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.
-</check-content></check></Rule><Rule id="SV-59603r1_rule" severity="medium" weight="10.0"><version>DTBF090</version><title>Firefox automatically updates installed add-ons and plugins.</title><description>&lt;VulnDiscussion&gt;Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-20415r2_fix">Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file.
-</fixtext><fix id="F-20415r2_fix" /><check system="C-24188r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.
-</check-content></check></Rule></Group><Group id="V-19743"><title>DTBF070 - Firefox Preferences - Lock settings</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-21889r3_rule" severity="medium" weight="10.0"><version>DTBF070</version><title>Firefox required security preferences cannot be changed by user.</title><description>&lt;VulnDiscussion&gt;Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.js&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-22495r4_fix">Ensure the required settings In "About:config" are locked using the Mozilla.cfg file. </fixtext><fix id="F-22495r4_fix" /><check system="C-24189r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Verify that required settings are marked as locked in about:config. Verify that mozilla.cfg file is used to lock required security settings.
-
-For instructions and a tool for reading the bitshifted file go to http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi
-
-Sample file:
-//
-lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668");
-lockPref("browser.download.dir", "N:");
-lockPref("browser.download.downloadDir", "N:");
-lockPref("app.update.enabled", false);
-lockPref("extensions.update.enabled", false);
-lockPref("browser.shell.checkDefaultBrowser", false);
-lockPref("browser.search.update", false);
-lockPref("browser.formfill.enable", false);
-lockPref("signon.prefillForms", false);
-lockPref("dom.disable_open_during_load", true);
-lockPref("dom.disable_window_move_resize", true);
-lockPref("dom.event.contextmenu.enabled", false);
-lockPref("dom.disable_window_status_change", true);
-lockPref("dom.disable_window_flip", true);
-lockPref("dom.disable_window_open_feature.status", true);
-lockPref("security.warn_leaving_secure", true);
-lockPref("privacy.sanitize.promptOnSanitize", false);
-lockPref("privacy.sanitize.sanitizeOnShutdown", true);
-lockPref("security.default_personal_cert", "Ask Every Time");
-lockPref("signon.rememberSignons", false);
-lockPref("xpinstall.whitelist.required", true);
-lockPref(“network.protocol-handler.external.shell”,false);
-lockPref(“security.enable_ssl3”,true);
-lockPref(“security.enable_ssl2”,false);
-lockPref(“security.enable_tls”,true);
-lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks");
-lockPref("privacy.item.history", false)
-
-Note: Append line into local-settings.js file to include in the Mozilla config file
-</check-content></check></Rule></Group><Group id="V-19744"><title>DTBF085 - Firefox Preferences Search update </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-21890r1_rule" severity="medium" weight="10.0"><version>DTBF085</version><title>Firefox automatically checks for updated version of installed Search plugins.</title><description>&lt;VulnDiscussion&gt;Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Firefox</dc:title><dc:publisher>DISA FSO</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Firefox</dc:subject><dc:identifier>205</dc:identifier></reference><fixtext fixref="F-20416r2_fix">Ensure the preference "browser.search.update" is set and locked to the value of “False”.</fixtext><fix id="F-20416r2_fix" /><check system="C-24190r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Firefox.xml" /><check-content>Type "about:config" in the browser window. Verify the preference "browser.search.update” is set to "false" and locked.
-
-Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
-</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
diff --git a/shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml b/shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml
new file mode 100644
index 00000000000..f0a8e661782
--- /dev/null
+++ b/shared/references/disa-stig-firefox-v5r1-xccdf-manual.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="Mozilla_Firefox_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-12-10">accepted</status><title>Mozilla Firefox Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 22 Jan 2021</plain-text><plain-text id="generator">3.2.1.41666</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>5</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Group id="V-223151"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223151r612236_rule" weight="10.0" severity="high"><version>DTBF003</version><title>Installed version of Firefox unsupported.</title><description>&lt;VulnDiscussion&gt;Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-19509</ident><ident system="http://cyber.mil/legacy">V-17988</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-24812r531271_fix">Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source.</fixtext><fix id="F-24812r531271_fix" /><check system="C-24824r531270_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Method 1: View the following registry key:
+HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion
+
+Method 2: Run Firefox. Click the ellipsis button &gt;&gt; Help &gt;&gt; About Firefox, and view the version number.
+
+Criteria: If the Firefox version is not a supported version, this is a finding.</check-content></check></Rule></Group><Group id="V-223152"><title>SRG-APP-000560</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223152r612236_rule" weight="10.0" severity="medium"><version>DTBF030</version><title>Firefox must be configured to allow only TLS.</title><description>&lt;VulnDiscussion&gt;Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16925</ident><ident system="http://cyber.mil/legacy">V-15983</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-24813r531274_fix">Configure the following parameters using the Mozilla.cfg file:
+
+LockPref "security.tls.version.min" is set to "2".
+LockPref "security.tls.version.max" is set to "4".</fixtext><fix id="F-24813r531274_fix" /><check system="C-24825r531273_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:config" in the address bar.
+
+Verify Preference Name "security.tls.version.min" is set to the value "2" and locked.
+Verify Preference Name "security.tls.version.max" is set to the value "4" and locked.
+
+Criteria: If the parameters are set incorrectly, this is a finding.
+
+If the settings are not locked, this is a finding.</check-content></check></Rule></Group><Group id="V-223153"><title>SRG-APP-000177</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223153r612236_rule" weight="10.0" severity="medium"><version>DTBF050</version><title>FireFox is configured to ask which certificate to present to a web site when a certificate is required.</title><description>&lt;VulnDiscussion&gt;When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16707</ident><ident system="http://cyber.mil/legacy">V-15768</ident><ident system="http://cyber.mil/cci">CCI-000187</ident><fixtext fixref="F-24814r531277_fix">Set the value of "security.default_personal_cert" to "Ask Every Time". Use the Mozilla.cfg file to lock the preference so users cannot change it.
+
+</fixtext><fix id="F-24814r531277_fix" /><check system="C-24826r531276_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser address bar. Verify Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering.
+
+Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223154"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223154r612236_rule" weight="10.0" severity="medium"><version>DTBF085</version><title>Firefox automatically checks for updated version of installed Search plugins.</title><description>&lt;VulnDiscussion&gt;Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-21890</ident><ident system="http://cyber.mil/legacy">V-19744</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24815r531280_fix">Ensure the preference "browser.search.update" is set and locked to the value of “False”.</fixtext><fix id="F-24815r531280_fix" /><check system="C-24827r531279_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser window. Verify the preference "browser.search.update” is set to "false" and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223155"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223155r612236_rule" weight="10.0" severity="medium"><version>DTBF090</version><title>Firefox automatically updates installed add-ons and plugins.</title><description>&lt;VulnDiscussion&gt;Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-59603</ident><ident system="http://cyber.mil/legacy">V-19742</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24816r531283_fix">Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file.
+</fixtext><fix id="F-24816r531283_fix" /><check system="C-24828r531282_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223156"><title>SRG-APP-000278</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223156r612236_rule" weight="10.0" severity="medium"><version>DTBF100</version><title>Firefox automatically executes or downloads MIME types which are not authorized for auto-download.</title><description>&lt;VulnDiscussion&gt;The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar.
+
+When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16709</ident><ident system="http://cyber.mil/legacy">V-15770</ident><ident system="http://cyber.mil/cci">CCI-001242</ident><fixtext fixref="F-24817r531286_fix">Remove any unauthorized extensions from the autodownload list. </fixtext><fix id="F-24817r531286_fix" /><check system="C-24829r531285_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Use Method 1 or 2 to check if the following extensions are listed in the browser configuration: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. By default, most of these extensions will not show up on the Firefox listing.
+
+Criteria:
+
+Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column.
+
+If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension. If the extension is associated with an unauthorized application, then this is a finding.
+
+If the extension exists but is not associated with an application, then this is a finding.
+
+Method 2:
+Use the Options User Interface Applications menu to search for the prohibited extensions in the Content column of the table.
+
+If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding.
+
+If the entry exists and the "Action" is 'Save File' or 'Always Ask', then this is not a finding.
+
+If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223157"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223157r612236_rule" weight="10.0" severity="medium"><version>DTBF105</version><title>Network shell protocol is enabled in FireFox.</title><description>&lt;VulnDiscussion&gt;Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the
+underlying system. This check verifies that the default setting has not been changed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16710</ident><ident system="http://cyber.mil/legacy">V-15771</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24818r531289_fix">Procedure: Set the value of "network.protocol-handler.external.shell" to "false" and lock using the Mozilla.cfg file.</fixtext><fix id="F-24818r531289_fix" /><check system="C-24830r531288_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Procedure: Open a browser window, type "about:config" in the address bar.
+
+Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding. </check-content></check></Rule></Group><Group id="V-223158"><title>SRG-APP-000279</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223158r612236_rule" weight="10.0" severity="medium"><version>DTBF110</version><title>Firefox is not configured to prompt a user before downloading and opening required file types.</title><description>&lt;VulnDiscussion&gt;New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16711</ident><ident system="http://cyber.mil/legacy">V-15772</ident><ident system="http://cyber.mil/cci">CCI-001243</ident><fixtext fixref="F-24819r531292_fix">Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files.
+Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application, rather than an add-on or plugin, will not be used:
+PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.</fixtext><fix id="F-24819r531292_fix" /><check system="C-24831r531291_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:config" in the address bar.
+Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, this is a finding:
+PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.</check-content></check></Rule></Group><Group id="V-223159"><title>SRG-APP-000210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223159r612236_rule" weight="10.0" severity="medium"><version>DTBF120</version><title>FireFox plug-in for ActiveX controls is installed.</title><description>&lt;VulnDiscussion&gt;When an ActiveX control is referenced in an HTML document, MS Windows checks to see if
+the control already resides on the client machine. If not, the control can be downloaded from a
+remote web site. This provides an automated delivery method for mobile code.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16712</ident><ident system="http://cyber.mil/legacy">V-15773</ident><ident system="http://cyber.mil/cci">CCI-001170</ident><fixtext fixref="F-24820r531295_fix">Remove/uninstall the Mozilla ActiveX plugin </fixtext><fix id="F-24820r531295_fix" /><check system="C-24832r531294_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:plugins" in the address bar.
+
+Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223160"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223160r612236_rule" weight="10.0" severity="medium"><version>DTBF140</version><title>Firefox formfill assistance option is disabled.</title><description>&lt;VulnDiscussion&gt;In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16713</ident><ident system="http://cyber.mil/legacy">V-15774</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24821r531298_fix">Ensure the preference “browser.formfill.enable" is set and locked to the value of “false”.</fixtext><fix id="F-24821r531298_fix" /><check system="C-24833r531297_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223161"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223161r612236_rule" weight="10.0" severity="medium"><version>DTBF150</version><title>Firefox is configured to autofill passwords.</title><description>&lt;VulnDiscussion&gt;While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16714</ident><ident system="http://cyber.mil/legacy">V-15775</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24822r531301_fix">Ensure the preference "signon.autofillForms" is set and locked to the value of “false”.</fixtext><fix id="F-24822r531301_fix" /><check system="C-24834r531300_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “signon.autofillForms“ is set to “false” and locked.
+Criteria: If the parameter is set incorrectly, this is a finding.
+If the setting is not locked, this is a finding.</check-content></check></Rule></Group><Group id="V-223162"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223162r612236_rule" weight="10.0" severity="medium"><version>DTBF160</version><title>FireFox is configured to use a password store with or without a master password.</title><description>&lt;VulnDiscussion&gt;Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16715</ident><ident system="http://cyber.mil/legacy">V-15776</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24823r531304_fix">Ensure the preference “signon.rememberSignons“ is set and locked to the value of “false”.</fixtext><fix id="F-24823r531304_fix" /><check system="C-24835r531303_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”.
+
+Criteria: If the parameter is set incorrectly, then this is a finding.
+
+If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223163"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223163r612236_rule" weight="10.0" severity="medium"><version>DTBF180</version><title>FireFox is not configured to block pop-up windows.</title><description>&lt;VulnDiscussion&gt;Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16717</ident><ident system="http://cyber.mil/legacy">V-15778</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24824r531307_fix">Ensure the preference "dom.disable_window_open_feature.status " is set and locked to the value of “true”.</fixtext><fix id="F-24824r531307_fix" /><check system="C-24836r531306_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223164"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223164r612236_rule" weight="10.0" severity="medium"><version>DTBF181</version><title>FireFox is configured to allow JavaScript to move or resize windows.
+</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browsers appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16718</ident><ident system="http://cyber.mil/legacy">V-15779</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24825r531310_fix">Ensure the preference "dom.disable_window_move_resize" is set and locked to the value of “true”.</fixtext><fix id="F-24825r531310_fix" /><check system="C-24837r531309_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-223165"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223165r612236_rule" weight="10.0" severity="medium"><version>DTBF182</version><title>Firefox is configured to allow JavaScript to raise or lower windows.</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browsers appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16927</ident><ident system="http://cyber.mil/legacy">V-15985</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24826r531313_fix">Ensure the preference "dom.disable_window_flip" is set and locked to the value of “true”.</fixtext><fix id="F-24826r531313_fix" /><check system="C-24838r531312_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223166"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223166r612236_rule" weight="10.0" severity="medium"><version>DTBF183</version><title>Firefox is configured to allow JavaScript to disable or replace context menus.</title><description>&lt;VulnDiscussion&gt;A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16928</ident><ident system="http://cyber.mil/legacy">V-15986</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24827r531316_fix">Ensure the preferences "dom.event.contextmenu.enabled" is set and locked to "false".</fixtext><fix id="F-24827r531316_fix" /><check system="C-24839r531315_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar of the browser.
+
+Verify that the preferences "dom.event.contextmenu.enabled" is set and locked to "false".
+
+Criteria: If the parameter is set incorrectly, then this is a finding.
+
+If the setting is not locked, this is a finding.</check-content></check></Rule></Group><Group id="V-223167"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223167r612236_rule" weight="10.0" severity="medium"><version>DTBF186</version><title>Extensions install must be disabled.</title><description>&lt;VulnDiscussion&gt;A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, an extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-79381</ident><ident system="http://cyber.mil/legacy">V-64891</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24828r531319_fix">Set the preference “xpinstall.enabled” to “false” and lock using the “mozilla.cfg” file. The “mozilla.cfg” file may need to be created if it does not already exist.</fixtext><fix id="F-24828r531319_fix" /><check system="C-24840r531318_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "xpinstall.enabled" and set the value to “false” and locked.
+
+Criteria: If the value of “xpinstall.enabled” is “false”, this is not a finding.
+
+If the value is locked, this is not a finding.
+</check-content></check></Rule></Group><Group id="V-223168"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223168r612236_rule" weight="10.0" severity="medium"><version>DTBF190</version><title>Background submission of information to Mozilla must be disabled.</title><description>&lt;VulnDiscussion&gt;There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publically.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-93759</ident><ident system="http://cyber.mil/legacy">V-79053</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24829r531322_fix">Ensure the preferences "datareporting.policy.dataSubmissionEnabled" is set and locked to "false".</fixtext><fix id="F-24829r531322_fix" /><check system="C-24841r531321_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar of the browser.
+Verify that the preference "datareporting.policy.dataSubmissionEnabled" is set and locked to "false". Otherwise, this is a finding.</check-content></check></Rule></Group><Group id="V-223169"><title>SRG-APP-000266</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223169r612236_rule" weight="10.0" severity="low"><version>DTBF195</version><title>Firefox Development Tools Must Be Disabled.</title><description>&lt;VulnDiscussion&gt;While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106633</ident><ident system="http://cyber.mil/legacy">V-97529</ident><ident system="http://cyber.mil/cci">CCI-001312</ident><fixtext fixref="F-24830r531325_fix">Set the value of "devtools.policy.disabled" to "true" using the Mozilla.cfg file, or the registry value of HKLM\Software\Policies\Mozilla\Firefox\DisableDeveloperTools to “1”</fixtext><fix id="F-24830r531325_fix" /><check system="C-24842r531324_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Procedure: Open a browser window, type "about:config" in the address bar.
+
+Criteria: If the value of "devtools.policy.disabled" is not "true", then this is a finding.</check-content></check></Rule></Group><Group id="V-223170"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223170r612236_rule" weight="10.0" severity="medium"><version>DTBF200</version><title>Telemetry must be disabled.</title><description>&lt;VulnDiscussion&gt;The Telemetry feature provides this capability by sending performance and usage info to Mozilla. As you use Firefox, Telemetry measures and collects non-personal information, such as performance, hardware, usage and customizations. It then sends this information to Mozilla on a daily basis and we use it to improve Firefox.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111837</ident><ident system="http://cyber.mil/legacy">V-102875</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24831r531328_fix">Ensure the preference “toolkit.telemetry.enabled" is set and locked to the value of “false”.</fixtext><fix id="F-24831r531328_fix" /><check system="C-24843r531327_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “toolkit.telemetry.enabled" is set to “false” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223171"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223171r612236_rule" weight="10.0" severity="medium"><version>DTBF205</version><title>Telemetry archive must be disabled.</title><description>&lt;VulnDiscussion&gt;The Telemetry feature provides this capability by sending performance and usage info to Mozilla. As you use Firefox, Telemetry measures and collects non-personal information, such as performance, hardware, usage and customizations. It then sends this information to Mozilla on a daily basis and we use it to improve Firefox.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111839</ident><ident system="http://cyber.mil/legacy">V-102877</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24832r531331_fix">Ensure the preference “toolkit.telemetry.archive.enabled" is set and locked to the value of “false”.</fixtext><fix id="F-24832r531331_fix" /><check system="C-24844r531330_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “toolkit.telemetry.archive.enabled" is set to “false” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223172"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223172r612236_rule" weight="10.0" severity="medium"><version>DTBF210</version><title>Fingerprinting protection must be enabled.</title><description>&lt;VulnDiscussion&gt;The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists you set Firefox to use, then the fingerprinting script (or other tracking script/image) will not be loaded from that site.
+
+Fingerprinting scripts collect information about your browser and device configuration, such as your operating system, screen resolution, and other settings. By compiling these pieces of data, fingerprinters create a unique profile of you that can be used to track you around the Web.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111841</ident><ident system="http://cyber.mil/legacy">V-102879</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24833r531334_fix">Ensure the preference “privacy.trackingprotection.fingerprinting.enabled" is set and locked to the value of “true”.</fixtext><fix id="F-24833r531334_fix" /><check system="C-24845r531333_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “privacy.trackingprotection.fingerprinting.enabled" is set to “true” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223173"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223173r612236_rule" weight="10.0" severity="medium"><version>DTBF215</version><title>Cryptomining protection must be enabled.</title><description>&lt;VulnDiscussion&gt;The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists you set Firefox to use, then the fingerprinting script (or other tracking script/image) will not be loaded from that site.
+
+Cryptomining scripts use your computers central processing unit (CPU) to invisibly mine cryptocurrency.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111843</ident><ident system="http://cyber.mil/legacy">V-102881</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24834r531337_fix">Ensure the preference “privacy.trackingprotection.cryptomining.enabled" is set and locked to the value of “true”.</fixtext><fix id="F-24834r531337_fix" /><check system="C-24846r531336_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “privacy.trackingprotection.cryptomining.enabled" is set to “true” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223174"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223174r612236_rule" weight="10.0" severity="medium"><version>DTBF220</version><title>Enhanced Tracking Protection must be enabled.</title><description>&lt;VulnDiscussion&gt;Tracking generally refers to content, cookies, or scripts that can collect your browsing data across multiple sites.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111845</ident><ident system="http://cyber.mil/legacy">V-102883</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24835r531340_fix">Ensure the preference “browser.contentblocking.category" is set and locked to the value of “strict”.</fixtext><fix id="F-24835r531340_fix" /><check system="C-24847r531339_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “browser.contentblocking.category" is set to “strict” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223175"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223175r612236_rule" weight="10.0" severity="medium"><version>DTBF225</version><title>Extension recommendations must be disabled.</title><description>&lt;VulnDiscussion&gt;The Recommended Extensions program will make it easier for users to discover extensions that have been reviewed for security, functionality, and user experience.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111847</ident><ident system="http://cyber.mil/legacy">V-102885</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24836r531343_fix">Ensure the preference “extensions.htmlaboutaddons.recommendations.enabled" is set and locked to the value of “false”.</fixtext><fix id="F-24836r531343_fix" /><check system="C-24848r531342_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “extensions.htmlaboutaddons.recommendations.enabled" is set to “false” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223177"><title>SRG-APP-000560</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223177r612236_rule" weight="10.0" severity="medium"><version>DTBF235</version><title>Deprecated ciphers must be disabled.</title><description>&lt;VulnDiscussion&gt;A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111851</ident><ident system="http://cyber.mil/legacy">V-102889</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-24838r531349_fix">Ensure the preference “security.ssl3.rsa_des_ede3_sha" is set and locked to the value of “false”.</fixtext><fix id="F-24838r531349_fix" /><check system="C-24850r531348_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “security.ssl3.rsa_des_ede3_sha" is set to “false” and locked.
+
+Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223179"><title>SRG-APP-000175</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223179r612236_rule" weight="10.0" severity="medium"><version>DTBG010</version><title>The DOD Root Certificate is not installed.</title><description>&lt;VulnDiscussion&gt;The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-6318</ident><ident system="http://cyber.mil/legacy">SV-33373</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-24840r531354_fix">Install the DOD root certificates.</fixtext><fix id="F-24840r531354_fix" /><check system="C-24852r531353_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Navigate to Tools &gt;&gt; Options &gt;&gt; Advanced &gt;&gt; Certificates tab &gt;&gt; View Certificates button. On the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4.
+
+If there are entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, select them individually.
+
+Click the "View" button.
+
+Verify the publishing organization is "US Government."
+
+If there are no entries for the DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, this is a finding.
+
+Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding.</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
From 7288ed4aa434af8214a6fef5e6f7f17487773ccc Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 18:09:20 +0200
Subject: [PATCH 07/10] Update DISA STIG JRE manual benchmark file.
---
.../disa-stig-jre8-unix-v1r3-xccdf-manual.xml | 270 -----------------
.../disa-stig-jre8-unix-v2r1-xccdf-manual.xml | 272 ++++++++++++++++++
2 files changed, 272 insertions(+), 270 deletions(-)
delete mode 100644 shared/references/disa-stig-jre8-unix-v1r3-xccdf-manual.xml
create mode 100644 shared/references/disa-stig-jre8-unix-v2r1-xccdf-manual.xml
diff --git a/shared/references/disa-stig-jre8-unix-v1r3-xccdf-manual.xml b/shared/references/disa-stig-jre8-unix-v1r3-xccdf-manual.xml
deleted file mode 100644
index 0e2deaaa779..00000000000
--- a/shared/references/disa-stig-jre8-unix-v1r3-xccdf-manual.xml
+++ /dev/null
@@ -1,270 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="JRE_8_and_UNIX_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2017-09-27">accepted</status><title>Java Runtime Environment (JRE) version 8 STIG for Unix</title><description>The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="http://iase.disa.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 3 Benchmark Date: 27 Oct 2017</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-66721" selected="true" /><select idref="V-66909" selected="true" /><select idref="V-66911" selected="true" /><select idref="V-66913" selected="true" /><select idref="V-66915" selected="true" /><select idref="V-66917" selected="true" /><select idref="V-66919" selected="true" /><select idref="V-66921" selected="true" /><select idref="V-66923" selected="true" /><select idref="V-66925" selected="true" /><select idref="V-66927" selected="true" /><select idref="V-66929" selected="true" /><select idref="V-66931" selected="true" /><select idref="V-66933" selected="true" /><select idref="V-66935" selected="true" /><select idref="V-66937" selected="true" /></Profile><Group id="V-66721"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81211r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000010</version><title>Oracle JRE 8 must have a deployment.config file present.</title><description>&lt;VulnDiscussion&gt;By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. The file must be created. The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. Without the deployment.config file, setting particular options for the Java control panel is impossible.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-72821r1_fix">Create a JRE deployment configuration file as indicated:
-
-/etc/.java/deployment/deployment.config</fixtext><fix id="F-72821r1_fix" /><check system="C-67371r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Verify a JRE deployment configuration file exists as indicated:
-
-/etc/.java/deployment/deployment.config
-
-If the configuration file does not exist as indicated, this is a finding.</check-content></check></Rule></Group><Group id="V-66909"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81399r2_rule" severity="medium" weight="10.0"><version>JRE8-UX-000020</version><title>Oracle JRE 8 deployment.config file must contain proper keys and values.</title><description>&lt;VulnDiscussion&gt;The deployment.config configuration file contains two keys.
-
-The "deployment.properties" key includes the path of the "deployment.properties" file and the "deployment.properties.mandatory" key contains either a TRUE or FALSE value.
-
-If the path specified to "deployment.properties" does not lead to a "deployment.properties" file, the value of the “deployment.system.config.mandatory” key determines how JRE will handle the situation.
-
-If the value of the "deployment.system.config.mandatory" key is TRUE and if the path to the "deployment.properties" file is invalid, the JRE will not allow Java applications to run. This is the desired behavior.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-73009r2_fix">Navigate to the “deployment.config” file for JRE:
-
-/etc/.java/deployment/deployment.config
-
-Add the key “deployment.system.config=&lt;Path to deployment.properties&gt;” to the deployment.config file. The following is an example:
-“deployment.system.config=/etc/.java/deployment/deployment.properties". Note the use of forward slashes.
-
-Add the key “deployment.system.config.mandatory=true” to the deployment.config file.</fixtext><fix id="F-73009r2_fix" /><check system="C-67545r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the “deployment.config” file for JRE:
-
-/etc/.java/deployment/deployment.config
-
-The deployment.config file contains two properties: deployment.system.config and deployment.system.config.mandatory.
-
-The "deployment.system.config" key points to the location of the deployment.properties file. The location is variable. It can point to a file on the local disk, or a UNC path. The following is an example:
-“deployment.system.config=/etc/.java/deployment/deployment.properties"
-
-If the “deployment.system.config” key does not exist or does not point to the location of the deployment.properties file, this is a finding.
-
-If the “deployment.system.config.mandatory” key does not exist or is set to false, this is a finding.</check-content></check></Rule></Group><Group id="V-66911"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81401r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000030</version><title>Oracle JRE 8 must have a deployment.properties file present.</title><description>&lt;VulnDiscussion&gt;By default no deployment.properties file exists; thus, no system-wide deployment exists. The file must be created. The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. Without the deployment.properties file, setting particular options for the Java control panel is impossible.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-73011r1_fix">Create the Java deployment properties file “/etc/.java/deployment/deployment.properties”</fixtext><fix id="F-73011r1_fix" /><check system="C-67547r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If there is no file entitled “deployment.properties”, this is a finding.</check-content></check></Rule></Group><Group id="V-66913"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81403r1_rule" severity="low" weight="10.0"><version>JRE8-UX-000060</version><title>Oracle JRE 8 must default to the most secure built-in setting.</title><description>&lt;VulnDiscussion&gt;Applications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked. Unsigned applications could perform numerous types of attacks on a system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-73013r1_fix">Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.level=VERY_HIGH” to the deployment.properties file.
-Add the key “deployment.security.level.locked” to the deployment.properties file.</fixtext><fix id="F-73013r1_fix" /><check system="C-67549r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.security.level=VERY_HIGH” is not present in the deployment.properties file, or is set to “HIGH”, this is a finding.
-
-If the key “deployment.security.level.locked” is not present in the deployment.properties file, this is a finding.</check-content></check></Rule></Group><Group id="V-66915"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81405r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000070</version><title>Oracle JRE 8 must be set to allow Java Web Start (JWS) applications.</title><description>&lt;VulnDiscussion&gt;Java Web Start (JWS) applications are the most commonly used. Denying these applications could be detrimental to the user experience. Whitelisting, blacklisting, and signing of applications help mitigate the risk of running JWS applications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-73015r1_fix">Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-Add the key “deployment.webjava.enabled=true” to the deployment.properties file.
-
-Add the key “deployment.webjava.enabled.locked” to the deployment.properties file.</fixtext><fix id="F-73015r1_fix" /><check system="C-67551r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.webjava.enabled=true” is not present in the deployment.properties file, or is set to “false”, this is a finding.
-
-If the key “deployment.webjava.enabled.locked” is not present in the deployment.properties file, this is a finding.</check-content></check></Rule></Group><Group id="V-66917"><title>SRG-APP-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81407r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000080</version><title>Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority.</title><description>&lt;VulnDiscussion&gt;Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001695</ident><fixtext fixref="F-73017r1_fix">If the system is on the SIPRNet, this requirement is NA.
-
-Disable the “Allow user to grant permissions to content from an untrusted authority” feature.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.askgrantdialog.notinca=false” to the deployment.properties file.
-Add the key “deployment.security.askgrantdialog.notinca.locked” to the deployment.properties file.</fixtext><fix id="F-73017r1_fix" /><check system="C-67553r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for Java.
-
- /etc/.java/deployment/deployment.properties
-
-If the key, “deployment.security.askgrantdialog.notinca=false” is not present, this is a finding.
-
-If the key, “deployment.security.askgrantdialog.notinca.locked” is not present, this is a finding.
-
-If the key “deployment.security.askgrantdialog.notinca” exists and is set to true, this is a finding.</check-content></check></Rule></Group><Group id="V-66919"><title>SRG-APP-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81409r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000090</version><title>Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority.</title><description>&lt;VulnDiscussion&gt;Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.
-
-Ensuring users cannot change settings contributes to a more consistent security profile.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001695</ident><fixtext fixref="F-73019r1_fix">If the system is on the SIPRNet, this requirement is NA.
-
-Lock the “Allow user to grant permissions to content from an untrusted authority” feature.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.askgrantdialog.show=false” to the deployment.properties file.
-Add the key “deployment.security.askgrantdialog.show.locked” to the deployment.properties file.</fixtext><fix id="F-73019r1_fix" /><check system="C-67555r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key, “deployment.security.askgrantdialog.show=false” is not present, this is a finding.
-
-If the key, “deployment.security.askgrantdialog.show.locked” is not present, this is a finding.
-
-If the key “deployment.security.askgrantdialog.show” exists and is set to true, this is a finding.</check-content></check></Rule></Group><Group id="V-66921"><title>SRG-APP-000175</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81411r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000100</version><title>Oracle JRE 8 must set the option to enable online certificate validation.</title><description>&lt;VulnDiscussion&gt;Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000185</ident><fixtext fixref="F-73021r2_fix">If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
-/etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.validation.ocsp=true” to the deployment.properties file.
-
-Add the key “deployment.security.validation.ocsp.locked” to the deployment.properties file.</fixtext><fix id="F-73021r2_fix" /><check system="C-67557r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.security.validation.ocsp=true” is not present in the deployment.properties file, this is a finding.
-
-If the key “deployment.security.validation.ocsp.locked” is not present in the deployment.properties file, this is a finding.
-
-If the key “deployment.security.validation.ocsp” is set to “false”, this is a finding.</check-content></check></Rule></Group><Group id="V-66923"><title>SRG-APP-000209</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81413r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000110</version><title>Oracle JRE 8 must prevent the download of prohibited mobile code.</title><description>&lt;VulnDiscussion&gt;Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
-
-Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient.
-
-Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and anti-virus applications).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001169</ident><fixtext fixref="F-73023r2_fix">Navigate to the system-level “deployment.properties” file for JRE.
-
-/etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.blacklist.check=true” to the deployment.properties file.
-
-Add the key “deployment.security.blacklist.check.locked” to the deployment.properties file.</fixtext><fix id="F-73023r2_fix" /><check system="C-67559r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.security.blacklist.check=true” is not present in the deployment.properties file, or is set to “false”, this is a finding.
-
-If the key “deployment.security.blacklist.check.locked” is not present in the deployment.properties file, this is a finding.</check-content></check></Rule></Group><Group id="V-66925"><title>SRG-APP-000386</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81415r2_rule" severity="medium" weight="10.0"><version>JRE8-UX-000120</version><title>Oracle JRE 8 must enable the option to use an accepted sites list.</title><description>&lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
-
-The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
-
-Verification of whitelisted software can occur either prior to execution or at system startup.
-
-This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001774</ident><fixtext fixref="F-73025r2_fix">Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-Add the key “deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites” to the deployment.properties file.</fixtext><fix id="F-73025r2_fix" /><check system="C-67561r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.user.security.exception.sites” is not present in the deployment.properties file, this is a finding.
-
-If the key “deployment.user.security.exception.sites” is not set to the location of the exception.sites file, this is a finding.
-
-An example of a correct setting is:
-deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites</check-content></check></Rule></Group><Group id="V-66927"><title>SRG-APP-000386</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81417r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000130</version><title>Oracle JRE 8 must have an exception.sites file present.</title><description>&lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
-
-The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
-
-Verification of whitelisted software can occur either prior to execution or at system startup.
-
-This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001774</ident><fixtext fixref="F-73027r2_fix">If the system is on the SIPRNet, this requirement is NA.
-
-Create the JRE exception.sites file:
-
-No default file exists. A text file named exception.sites, and the directory structure in which it is located must be manually created. The location must be aligned as defined in the deployment.properties file.
-
-/etc/.java/deployment/deployment.properties is an example.</fixtext><fix id="F-73027r2_fix" /><check system="C-67563r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the “exception.sites” file for Java:
-
- /etc/.java/deployment/exception.sites
-
-If the exception.sites file does not exist, it must be created. The exception.sites file is a text file containing single-line URLs for accepted risk sites. If there are no AO approved sites to be added to the configuration, it is acceptable for this file to be blank.
-
-If the “exception.sites” file does not exist, this is a finding.
-
-If the “exception.sites” file contains URLs that are not AO approved, this is a finding.</check-content></check></Rule></Group><Group id="V-66929"><title>SRG-APP-000401</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81419r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000150</version><title>Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation.</title><description>&lt;VulnDiscussion&gt;A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001991</ident><fixtext fixref="F-73029r2_fix">If the system is on the SIPRNet, this requirement is NA.
-
-Enable the “Check certificates for revocation using Certificate Revocation Lists (CRL)” option.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
-/etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.validation.crl=true” to the deployment.properties file.
-
-Add the key “deployment.security.validation.crl.locked” to the deployment.properties file.</fixtext><fix id="F-73029r2_fix" /><check system="C-67565r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.security.validation.crl=true” is not present in the deployment.properties file, or is set to “false”, this is a finding.
-
-If the key “deployment.security.validation.crl.locked” is not present in the deployment.properties file, this is a finding.</check-content></check></Rule></Group><Group id="V-66931"><title>SRG-APP-000401</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81421r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000160</version><title>Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation.</title><description>&lt;VulnDiscussion&gt;Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.
-
-Ensuring users cannot change these settings assures a more consistent security profile.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001991</ident><fixtext fixref="F-73031r2_fix">If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
-/etc/.java/deployment/deployment.properties
-
-Add the key “deployment.security.revocation.check=ALL_CERTIFICATES” to the deployment.properties file.
-
-Add the key “deployment.security.revocation.check.locked” to the deployment.properties file.</fixtext><fix id="F-73031r2_fix" /><check system="C-67567r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>If the system is on the SIPRNet, this requirement is NA.
-
-Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding.
-
-If the key “deployment.security.revocation.check.locked” is not present, this is a finding.</check-content></check></Rule></Group><Group id="V-66933"><title>SRG-APP-000488</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81423r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000170</version><title>Oracle JRE 8 must prompt the user for action prior to executing mobile code.</title><description>&lt;VulnDiscussion&gt;Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user.
-
-Actions enforced before executing mobile code include, for example, prompting users prior to opening email attachments and disabling automatic execution.
-
-This requirement applies to mobile code-enabled software, which is capable of executing one or more types of mobile code.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002460</ident><fixtext fixref="F-73033r2_fix">Navigate to the system-level “deployment.properties” file for JRE.
-
-/etc/.java/deployment/deployment.properties
-
-Add the key “deployment.insecure.jres=PROMPT” to the deployment.properties file.
-
-Add the key “deployment.insecure.jres.locked” to the deployment.properties file.</fixtext><fix id="F-73033r2_fix" /><check system="C-67569r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
-
- /etc/.java/deployment/deployment.properties
-
-If the key “deployment.insecure.jres=PROMPT” is not present in the deployment.properties file, this is a finding.
-
-If the key “deployment.insecure.jres.locked” is not present in the deployment.properties file, this is a finding.
-
-If the key “deployment.insecure.jres” is set to “NEVER”, this is a finding.</check-content></check></Rule></Group><Group id="V-66935"><title>SRG-APP-000454</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81425r1_rule" severity="medium" weight="10.0"><version>JRE8-UX-000190</version><title>Oracle JRE 8 must remove previous versions when the latest version is installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002617</ident><fixtext fixref="F-73035r1_fix">Remove previous versions of JRE.
-
-RPM uninstall:
-# rpm -e jre-&lt;version&gt;-fcs
-
-Self-extracting file uninstall:
-# rm -r jre&lt;version&gt;
-
-Perform for all out of date instances of JRE.</fixtext><fix id="F-73035r1_fix" /><check system="C-67571r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Review the system configuration to ensure old versions of JRE have been removed.
-
-There are two ways to uninstall Java. Use the method that you used when you installed Java. For example, if you used RPM to install Java, then use the RPM uninstall method.
-
-If RPM is installed, first query to ascertain that JRE was installed using RPM.
-
-Search for the JRE package by typing:
-# rpm -qa | grep -i jre
-
-If RPM reports a package similar to jre-&lt;version&gt;-fcs, then JRE is installed with RPM. If JRE is not installed using RPM, skip to "Self-extracting file uninstall".
-
-To uninstall Java via RPM, type:
-# rpm -e jre-&lt;version&gt;-fcs
-
-Self-extracting file uninstall:
-1. Browse folders to ascertain where JRE is installed. Common locations are /usr/java/jre_&lt;version&gt; or opt/jre_nb/jre_&lt;version&gt;/bin/java/
-2. When you have located the directory, you may delete the directory by using the following command:
-Note: Ensure JRE is not already installed using RPM before removing the directory.
-# rm -r /&lt;path to jre&gt;/jre&lt;version&gt;
-
-Ensure only one instance of JRE is installed on the system.
-
-# ps -ef | grep -I jre
-
-If more than one instance of JRE is running, this is a finding.</check-content></check></Rule></Group><Group id="V-66937"><title>SRG-APP-000456</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-81427r1_rule" severity="high" weight="10.0"><version>JRE8-UX-000180</version><title>The version of Oracle JRE 8 running on the system must be the most current available.</title><description>&lt;VulnDiscussion&gt;Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JRE 8 (1.8)</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JRE 8 (1.8)</dc:subject><dc:identifier>3045</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002605</ident><fixtext fixref="F-73037r1_fix">Test applications to ensure operational compatibility with new version of Java.
-
-Install latest version of Oracle JRE 8.</fixtext><fix id="F-73037r1_fix" /><check system="C-67573r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JRE 8 and UNIX STIG.xml" /><check-content>Open a terminal window and type the command:
-"java -version" sans quotes.
-
-The return value should contain Java build information:
-
-"Java (TM) SE Runtime Environment (build x.x.x.x)"
-
-Cross reference the build information on the system with the Oracle Java site to identify the most recent build available.
-
-If the version of Oracle JRE 8 running on the system is out of date, this is a finding.</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
diff --git a/shared/references/disa-stig-jre8-unix-v2r1-xccdf-manual.xml b/shared/references/disa-stig-jre8-unix-v2r1-xccdf-manual.xml
new file mode 100644
index 00000000000..00186f35657
--- /dev/null
+++ b/shared/references/disa-stig-jre8-unix-v2r1-xccdf-manual.xml
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="JRE_8_and_Windows_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-12-16">accepted</status><title>Oracle Java Runtime Environment (JRE) Version 8 for Windows Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 22 Jan 2021</plain-text><plain-text id="generator">3.2.1.41666</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>2</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234683" selected="true" /><select idref="V-234684" selected="true" /><select idref="V-234685" selected="true" /><select idref="V-234686" selected="true" /><select idref="V-234687" selected="true" /><select idref="V-234688" selected="true" /><select idref="V-234689" selected="true" /><select idref="V-234690" selected="true" /><select idref="V-234691" selected="true" /><select idref="V-234692" selected="true" /><select idref="V-234693" selected="true" /><select idref="V-234694" selected="true" /><select idref="V-234695" selected="true" /><select idref="V-234696" selected="true" /><select idref="V-234697" selected="true" /><select idref="V-234698" selected="true" /></Profile><Group id="V-234683"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234683r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000010</version><title>Oracle JRE 8 must have a deployment.config file present.</title><description>&lt;VulnDiscussion&gt;By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. The file must be created. The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. Without the deployment.config file, setting particular options for the Java control panel is impossible.
+
+The deployment.config file can be created in either of the following locations:
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.config
+- or -
+&lt;JRE Installation Directory&gt;\lib\deployment.config&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66939</ident><ident system="http://cyber.mil/legacy">SV-81429</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37833r616106_fix">By default, no "deployment.config" file exists; a text file must be created. Create a JRE deployment configuration file in either:
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.config
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.config</fixtext><fix id="F-37833r616106_fix" /><check system="C-37868r616105_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>By default, no "deployment.config" file exists; it must be created. Verify a "deployment.config" configuration file exists in either:
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.config
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.config
+
+If the "deployment.config" configuration file does not exist in either of these folders, this is a finding.</check-content></check></Rule></Group><Group id="V-234684"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234684r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000020</version><title>Oracle JRE 8 deployment.config file must contain proper keys and values.</title><description>&lt;VulnDiscussion&gt;The deployment.config configuration file contains two keys.
+
+The "deployment.properties" key includes the path of the "deployment.properties" file and the "deployment.properties.mandatory" key contains either a TRUE or FALSE value.
+
+If the path specified to "deployment.properties" does not lead to a "deployment.properties" file, the value of the “deployment.system.config.mandatory” key determines how JRE will handle the situation.
+
+If the value of the "deployment.system.config.mandatory" key is TRUE and if the path to the "deployment.properties" file is invalid, the JRE will not allow Java applications to run. This is the desired behavior.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66941</ident><ident system="http://cyber.mil/legacy">SV-81431</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37834r616109_fix">Navigate to the "deployment.config" file for JRE.
+
+Add the key "deployment.system.config=&lt;Path to deployment.properties&gt;" to the "deployment.config" file. The following is an example:
+"deployment.system.config=file:///C:/Windows/Java/Deployment/deployment.properties". Note the use of forward slashes.
+
+Add the key "deployment.system.config.mandatory=true" to the "deployment.config" file.</fixtext><fix id="F-37834r616109_fix" /><check system="C-37869r616108_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the "deployment.config" file for Java:
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.config
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.config
+
+The "deployment.config" file contains two properties: deployment.system.config and deployment.system.config.mandatory.
+
+The "deployment.system.config" key points to the location of the "deployment.properties" file. The location is variable. It can point to a file on the local disk or a UNC path. The following is an example:
+"deployment.system.config=file:///C:/Windows/Java/Deployment/deployment.properties"
+
+If the "deployment.system.config" key does not exist or does not point to the location of the "deployment.properties" file, this is a finding.
+
+If the "deployment.system.config.mandatory" key does not exist or is set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-234685"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234685r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000030</version><title>Oracle JRE 8 must have a deployment.properties file present.</title><description>&lt;VulnDiscussion&gt;By default no deployment.properties file exists; thus, no system-wide deployment exists. The file must be created. The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. Without the deployment.properties file, setting particular options for the Java control panel is impossible.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66943</ident><ident system="http://cyber.mil/legacy">SV-81433</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37835r616112_fix">Create the JRE "deployment.properties" file:
+
+No default file exists. A text file named "deployment.properties", and the directory structure in which it is located, must be manually created.
+The location must be aligned as defined in the "deployment.config" file.
+
+C:\Windows\Java\Deployment\deployment.properties is an example.</fixtext><fix id="F-37835r616112_fix" /><check system="C-37870r616111_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the system-level "deployment.properties" file for JRE.
+
+The location of the "deployment.properties" file is defined in the "deployment.config" file.
+
+If there are no files titled "deployment.properties", this is a finding.</check-content></check></Rule></Group><Group id="V-234686"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234686r617446_rule" weight="10.0" severity="low"><version>JRE8-WN-000060</version><title>Oracle JRE 8 must default to the most secure built-in setting.</title><description>&lt;VulnDiscussion&gt;Applications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked. Unsigned applications could perform numerous types of attacks on a system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66945</ident><ident system="http://cyber.mil/legacy">SV-81435</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37836r616115_fix">Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.security.level=VERY_HIGH" to the "deployment.properties" file.
+
+Add the key "deployment.security.level.locked" to the "deployment.properties" file.</fixtext><fix id="F-37836r616115_fix" /><check system="C-37871r616114_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.security.level=VERY_HIGH" is not present in the "deployment.properties file", or is set to "HIGH", this is a finding.
+
+If the key "deployment.security.level.locked" is not present in the "deployment.properties" file, this is a finding.</check-content></check></Rule></Group><Group id="V-234687"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234687r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000070</version><title>Oracle JRE 8 must be set to allow Java Web Start (JWS) applications.</title><description>&lt;VulnDiscussion&gt;Java Web Start (JWS) applications are the most commonly used. Denying these applications could be detrimental to the user experience. Whitelisting, blacklisting, and signing of applications help mitigate the risk of running JWS applications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66947</ident><ident system="http://cyber.mil/legacy">SV-81437</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37837r616118_fix">Navigate to the system-level “deployment.properties” file for JRE.
+
+The location of the deployment.properties file is defined in &lt;JRE Installation Directory&gt;\Lib\deployment.config
+
+Add the key “deployment.webjava.enabled=true” to the deployment.properties file.
+
+Add the key “deployment.webjava.enabled.locked” to the deployment.properties file.
+
+Note: If JWS is not enabled, this requirement is NA.</fixtext><fix id="F-37837r616118_fix" /><check system="C-37872r616117_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the system-level “deployment.properties” file for JRE.
+
+The location of the deployment.properties file is defined in &lt;JRE Installation Directory&gt;\Lib\deployment.config
+
+If the key “deployment.webjava.enabled=true” is not present in the deployment.properties file, or is set to “false”, this is a finding.
+
+If the key “deployment.webjava.enabled.locked” is not present in the deployment.properties file, this is a finding.
+
+Note: If JWS is not enabled, this requirement is NA.</check-content></check></Rule></Group><Group id="V-234688"><title>SRG-APP-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234688r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000080</version><title>Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority.</title><description>&lt;VulnDiscussion&gt;Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66949</ident><ident system="http://cyber.mil/legacy">SV-81439</ident><ident system="http://cyber.mil/cci">CCI-001695</ident><fixtext fixref="F-37838r616121_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Disable the "Allow user to grant permissions to content from an untrusted authority" feature.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.security.askgrantdialog.notinca=false" to the "deployment.properties" file.
+
+Add the key "deployment.security.askgrantdialog.notinca.locked" to the "deployment.properties" file.</fixtext><fix id="F-37838r616121_fix" /><check system="C-37873r616120_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level "deployment.properties" file for Java.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.security.askgrantdialog.notinca=false" is not present, this is a finding.
+
+If the key "deployment.security.askgrantdialog.notinca.locked" is not present, this is a finding.
+
+If the key "deployment.security.askgrantdialog.notinca" exists and is set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-234689"><title>SRG-APP-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234689r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000090</version><title>Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority.</title><description>&lt;VulnDiscussion&gt;Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.
+
+Ensuring users cannot change settings contributes to a more consistent security profile.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66951</ident><ident system="http://cyber.mil/legacy">SV-81441</ident><ident system="http://cyber.mil/cci">CCI-001695</ident><fixtext fixref="F-37839r616124_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Lock the "Allow user to grant permissions to content from an untrusted authority" feature.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.security.askgrantdialog.show=false" to the "deployment.properties" file.
+
+Add the key "deployment.security.askgrantdialog.show.locked" to the "deployment.properties" file.</fixtext><fix id="F-37839r616124_fix" /><check system="C-37874r616123_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.security.askgrantdialog.show=false" is not present, this is a finding.
+
+If the key "deployment.security.askgrantdialog.show.locked" is not present, this is a finding.
+
+If the key "deployment.security.askgrantdialog.show" exists and is set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-234690"><title>SRG-APP-000175</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234690r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000100</version><title>Oracle JRE 8 must set the option to enable online certificate validation.</title><description>&lt;VulnDiscussion&gt;Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66953</ident><ident system="http://cyber.mil/legacy">SV-81443</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-37840r616127_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.security.validation.ocsp=true" to the "deployment.properties" file.
+
+Add the key "deployment.security.validation.ocsp.locked" to the "deployment.properties" file.</fixtext><fix id="F-37840r616127_fix" /><check system="C-37875r616126_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.security.validation.ocsp=true" is not present in the "deployment.properties" file, this is a finding.
+
+If the key "deployment.security.validation.ocsp.locked" is not present in the "deployment.properties" file, this is a finding.
+
+If the key "deployment.security.validation.ocsp" is set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-234691"><title>SRG-APP-000209</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234691r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000110</version><title>Oracle JRE 8 must prevent the download of prohibited mobile code.</title><description>&lt;VulnDiscussion&gt;Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
+
+Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient.
+
+Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and anti-virus applications).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66955</ident><ident system="http://cyber.mil/legacy">SV-81445</ident><ident system="http://cyber.mil/cci">CCI-001169</ident><fixtext fixref="F-37841r616130_fix">Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.security.blacklist.check=true" to the "deployment.properties" file.
+
+Add the key "deployment.security.blacklist.check.locked" to the "deployment.properties" file.</fixtext><fix id="F-37841r616130_fix" /><check system="C-37876r616129_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.security.blacklist.check=true" is not present in the "deployment.properties" file, or is set to "false", this is a finding.
+
+If the key "deployment.security.blacklist.check.locked" is not present in the "deployment.properties" file, this is a finding.</check-content></check></Rule></Group><Group id="V-234692"><title>SRG-APP-000386</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234692r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000120</version><title>Oracle JRE 8 must enable the option to use an accepted sites list.</title><description>&lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
+
+The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
+
+Verification of whitelisted software can occur either prior to execution or at system startup.
+
+This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66957</ident><ident system="http://cyber.mil/legacy">SV-81447</ident><ident system="http://cyber.mil/cci">CCI-001774</ident><fixtext fixref="F-37842r616133_fix">Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.user.security.exception.sites=C\:\\Windows\\Sun\\Java\\Deployment\\exception.sites" to the "deployment.properties" file.</fixtext><fix id="F-37842r616133_fix" /><check system="C-37877r616132_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.user.security.exception.sites" is not present in the "deployment.properties" file, this is a finding.
+
+If the key "deployment.user.security.exception.sites" is not set to the location of the "exception.sites" file, this is a finding.
+
+An example of a correct setting is:
+deployment.user.security.exception.sites=C\:\\Windows\\Sun\\Java\\Deployment\\exception.sites</check-content></check></Rule></Group><Group id="V-234693"><title>SRG-APP-000386</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234693r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000130</version><title>Oracle JRE 8 must have an exception.sites file present.</title><description>&lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.
+
+The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
+
+Verification of whitelisted software can occur either prior to execution or at system startup.
+
+This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66959</ident><ident system="http://cyber.mil/legacy">SV-81449</ident><ident system="http://cyber.mil/cci">CCI-001774</ident><fixtext fixref="F-37843r616136_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Create the JRE exception.sites file:
+No default file exists. A text file named exception.sites, and the directory structure in which it is located must be manually created. The location must be aligned as defined in the deployment.properties file.
+C:\Windows\Java\Deployment\deployment.properties is an example.</fixtext><fix id="F-37843r616136_fix" /><check system="C-37878r616135_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the “exception.sites” file for Java:
+
+The location of the "exception.sites" file is defined in the deployment.properties file.
+
+The "exception.sites" file is a text file containing single-line URLs for accepted risk sites. If there are no AO approved sites to be added to the configuration, it is acceptable for this file to be blank.
+
+If the “exception.sites” file does not exist, this is a finding.
+
+If the “exception.sites” file contains URLs that are not AO approved, this is a finding.
+
+Note: DeploymentRuleSet.jar is an acceptable substitute for using exception.sites. Interview the SA to view contents of the "DeploymentRuleSet.jar" file to ensure any AO approved sites are whitelisted.</check-content></check></Rule></Group><Group id="V-234694"><title>SRG-APP-000401</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234694r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000150</version><title>Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation.</title><description>&lt;VulnDiscussion&gt;A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66961</ident><ident system="http://cyber.mil/legacy">SV-81451</ident><ident system="http://cyber.mil/cci">CCI-001991</ident><fixtext fixref="F-37844r616139_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Enable the "Check certificates for revocation using If the system is on the SIPRNet, this requirement is NA.
+
+Enable the "Check certificates for revocation using Certificate Revocation Lists (CRL)" option.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.security.validation.crl=true" to the "deployment.properties" file.
+
+Add the key "deployment.security.validation.crl.locked" to the "deployment.properties" file.</fixtext><fix id="F-37844r616139_fix" /><check system="C-37879r616138_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.security.validation.crl=true" is not present in the "deployment.properties" file, or is set to "false", this is a finding.
+
+If the key "deployment.security.validation.crl.locked" is not present in the "deployment.properties" file, this is a finding.</check-content></check></Rule></Group><Group id="V-234695"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234695r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000160</version><title>Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation.</title><description>&lt;VulnDiscussion&gt;Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.
+
+Ensuring users cannot change these settings assures a more consistent security profile.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66723</ident><ident system="http://cyber.mil/legacy">SV-81213</ident><ident system="http://cyber.mil/cci">CCI-001991</ident><fixtext fixref="F-37845r616142_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level “deployment.properties” file for JRE.
+
+The location of the deployment.properties file is defined in &lt;JRE Installation Directory&gt;\Lib\deployment.config
+
+Add the key “deployment.security.revocation.check=ALL_CERTIFICATES” to the deployment.properties file.
+
+Add the key “deployment.security.revocation.check.locked” to the deployment.properties file.</fixtext><fix id="F-37845r616142_fix" /><check system="C-37880r616141_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Navigate to the system-level “deployment.properties” file for JRE.
+
+The location of the deployment.properties file is defined in &lt;JRE Installation Directory&gt;\Lib\deployment.config
+
+If the key “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding.
+
+If the key “deployment.security.revocation.check.locked” is not present, this is a finding.</check-content></check></Rule></Group><Group id="V-234696"><title>SRG-APP-000488</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234696r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000170</version><title>Oracle JRE 8 must prompt the user for action prior to executing mobile code.</title><description>&lt;VulnDiscussion&gt;Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user.
+
+Actions enforced before executing mobile code include, for example, prompting users prior to opening email attachments and disabling automatic execution.
+
+This requirement applies to mobile code-enabled software, which is capable of executing one or more types of mobile code.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66963</ident><ident system="http://cyber.mil/legacy">SV-81453</ident><ident system="http://cyber.mil/cci">CCI-002460</ident><fixtext fixref="F-37846r616145_fix">Navigate to the system-level "deployment.properties" file for JRE.
+
+Add the key "deployment.insecure.jres=PROMPT" to the "deployment.properties" file.
+
+Add the key "deployment.insecure.jres.locked" to the "deployment.properties" file.</fixtext><fix id="F-37846r616145_fix" /><check system="C-37881r616144_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Navigate to the system-level "deployment.properties" file for JRE.
+
+&lt;Windows Directory&gt;\Sun\Java\Deployment\deployment.properties
+- or -
+&lt;JRE Installation Directory&gt;\Lib\deployment.properties
+
+If the key "deployment.insecure.jres=PROMPT" is not present in the "deployment.properties" file, this is a finding.
+
+If the key "deployment.insecure.jres.locked" is not present in the "deployment.properties" file, this is a finding.
+
+If the key "deployment.insecure.jres" is set to "NEVER", this is a finding.</check-content></check></Rule></Group><Group id="V-234697"><title>SRG-APP-000456</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234697r617446_rule" weight="10.0" severity="high"><version>JRE8-WN-000180</version><title>The version of Oracle JRE 8 running on the system must be the most current available.</title><description>&lt;VulnDiscussion&gt;Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-81457</ident><ident system="http://cyber.mil/legacy">V-66967</ident><ident system="http://cyber.mil/cci">CCI-002605</ident><fixtext fixref="F-37847r617346_fix">Test applications to ensure operational compatibility with new version of Java.
+
+Install a supported version of Oracle JRE 8.</fixtext><fix id="F-37847r617346_fix" /><check system="C-37882r617345_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Open a terminal window and type the command:
+"java -version" sans quotes.
+
+The return value should contain Java build information:
+
+"Java (TM) SE Runtime Environment (build x.x.x.x)"
+
+Cross-reference the build information on the system with the Oracle Java site to verify the version is supported by the vendor.
+
+If the version of Oracle JRE 8 running on the system is unsupported, this is a finding.</check-content></check></Rule></Group><Group id="V-234698"><title>SRG-APP-000454</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234698r617446_rule" weight="10.0" severity="medium"><version>JRE8-WN-000190</version><title>Oracle JRE 8 must remove previous versions when the latest version is installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Oracle Java Runtime Environment v8 for Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Oracle Java Runtime Environment v8 for Windows</dc:subject><dc:identifier>5271</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-66965</ident><ident system="http://cyber.mil/legacy">SV-81455</ident><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-37848r616151_fix">Remove previous versions of JRE.
+
+Open the Windows Control Panel, and navigate to "Programs and Features".
+
+Highlight, and click uninstall on all out of date instances of JRE.</fixtext><fix id="F-37848r616151_fix" /><check system="C-37883r616150_chk"><check-content-ref href="Oracle_Java_Runtime_Environment_v8_for_Windows_STIG.xml" name="M" /><check-content>Review the system configuration to ensure old versions of JRE have been removed.
+
+Open the Windows Control Panel, and navigate to "Programs and Features".
+
+Ensure only one instance of JRE is in the list of installed software. If more than one instance of JRE is listed, this is a finding.
+
+Note: A 32 and 64 bit version of the same instance is acceptable.</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
From 9bfe365a1fec19b62e785d96e6146e50224809d7 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 18:14:24 +0200
Subject: [PATCH 08/10] Update DISA STIG Chrome manual benchmark file.
---
.../disa-google-chrome-browser-v1r2-stig.xml | 1736 -----------------
.../disa-google-chrome-browser-v2r3-stig.xml | 589 ++++++
2 files changed, 589 insertions(+), 1736 deletions(-)
delete mode 100644 shared/references/disa-google-chrome-browser-v1r2-stig.xml
create mode 100644 shared/references/disa-google-chrome-browser-v2r3-stig.xml
diff --git a/shared/references/disa-google-chrome-browser-v1r2-stig.xml b/shared/references/disa-google-chrome-browser-v1r2-stig.xml
deleted file mode 100644
index 1235715fd04..00000000000
--- a/shared/references/disa-google-chrome-browser-v1r2-stig.xml
+++ /dev/null
@@ -1,1736 +0,0 @@
-<Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns="http://checklists.nist.gov/xccdf/1.1" id="Google_Chrome_Current_Windows" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
- <status date="2014-07-08">accepted</status>
- <title>Google Chrome Current Windows STIG</title>
- <notice id="terms-of-use" xml:lang="en"/>
- <reference href="http://iase.disa.mil">
- <dc:publisher>DISA, Field Security Operations</dc:publisher>
- <dc:source>STIG.DOD.MIL</dc:source>
- </reference>
- <plain-text id="release-info">Release: 1 Benchmark Date: 03 Mar 2014</plain-text>
- <version>1</version>
- <Profile id="MAC-1_Classified">
- <title>I - Mission Critial Classified</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-1_Public">
- <title>I - Mission Critial Public</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-1_Sensitive">
- <title>I - Mission Critial Sensitive</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-2_Classified">
- <title>II - Mission Support Classified</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-2_Public">
- <title>II - Mission Support Public</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-2_Sensitive">
- <title>II - Mission Support Sensitive</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-3_Classified">
- <title>III - Administrative Classified</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-3_Public">
- <title>III - Administrative Public</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Profile id="MAC-3_Sensitive">
- <title>III - Administrative Sensitive</title>
- <description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description>
- <select idref="V-44711" selected="true"/>
- <select idref="V-44713" selected="true"/>
- <select idref="V-44719" selected="true"/>
- <select idref="V-44723" selected="true"/>
- <select idref="V-44727" selected="true"/>
- <select idref="V-44729" selected="true"/>
- <select idref="V-44733" selected="true"/>
- <select idref="V-44735" selected="true"/>
- <select idref="V-44737" selected="true"/>
- <select idref="V-44739" selected="true"/>
- <select idref="V-44741" selected="true"/>
- <select idref="V-44743" selected="true"/>
- <select idref="V-44745" selected="true"/>
- <select idref="V-44749" selected="true"/>
- <select idref="V-44751" selected="true"/>
- <select idref="V-44753" selected="true"/>
- <select idref="V-44757" selected="true"/>
- <select idref="V-44759" selected="true"/>
- <select idref="V-44761" selected="true"/>
- <select idref="V-44763" selected="true"/>
- <select idref="V-44765" selected="true"/>
- <select idref="V-44769" selected="true"/>
- <select idref="V-44771" selected="true"/>
- <select idref="V-44773" selected="true"/>
- <select idref="V-44775" selected="true"/>
- <select idref="V-44777" selected="true"/>
- <select idref="V-44781" selected="true"/>
- <select idref="V-44783" selected="true"/>
- <select idref="V-44787" selected="true"/>
- <select idref="V-44789" selected="true"/>
- <select idref="V-44791" selected="true"/>
- <select idref="V-44793" selected="true"/>
- <select idref="V-44795" selected="true"/>
- <select idref="V-44799" selected="true"/>
- <select idref="V-44801" selected="true"/>
- <select idref="V-44805" selected="true"/>
- <select idref="V-52795" selected="true"/>
- </Profile>
- <Group id="V-44711">
- <title>DTBC0001 - Disable firewall traversal </title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57545r2_rule" severity="medium" weight="10.0">
- <version>DTBC-0001</version>
- <title>Firewall traversal from remote host must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49801r4_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options
- Policy Name: Enable firewall traversal from remote access host
- Policy State: Disabled
- Policy Value: false
-
-</fixtext>
- <fix id="F-49801r4_fix"/>
- <check system="C-49503r4_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows registry:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44713">
- <title>DTBC0003 - Block desktop notifications</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57547r1_rule" severity="low" weight="10.0">
- <version>DTBC-0003</version>
- <title>Sites ability for showing desktop notifications must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Chrome by default allows websites to display notifications on the desktop. This check allows you to set whether or not this is permitted. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.
- 1 = Allow sites to show desktop notifications
- 2 = Do not allow any site to show desktop notifications
- 3 = Ask every time a site wants to show desktop notifications
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49807r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
- Policy Name: Default notification setting
- Policy State: Enabled
- Policy Value: Do not allow any site to show desktop notifications
-
-</fixtext>
- <fix id="F-49807r3_fix"/>
- <check system="C-49507r4_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DefaultNotificationsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DefaultNotificationsSetting value name does not exist or its value data is not set to 2, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44719">
- <title>DTBC0004 - Disable pop-ups</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57553r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0004</version>
- <title>Sites ability to show pop-ups must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to &#8216;2&#8217; to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.
- 1 = Allow all sites to show pop-ups
- 2 = Do not allow any site to show pop-ups
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49809r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
- Policy Name: Default popups setting
- Policy State: Enabled
- Policy Value: Do not allow any site to show popups
-
-</fixtext>
- <fix id="F-49809r3_fix"/>
- <check system="C-49509r3_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44723">
- <title>DTBC0002 - Disallow Location Tracking</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57557r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0002</version>
- <title>Site tracking users location must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user&#8217;s physical location. Tracking the user&#8217;s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.
- 1 = Allow sites to track the user&#8217;s physical location
- 2 = Do not allow any site to track the user&#8217;s physical location
- 3 = Ask whenever a site wants to track the user&#8217;s physical location
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49813r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
- Policy Name: Default geolocation setting
- Policy State: Enabled
- Policy Value: Do not allow any site to track the users' physical location
-
-</fixtext>
- <fix id="F-49813r3_fix"/>
- <check system="C-49511r3_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44727">
- <title>DTBC0005 - Blacklist extension installation </title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57561r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0005</version>
- <title>Extensions installation must be blacklisted by default.</title>
- <description>&lt;VulnDiscussion&gt;Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49817r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
- Policy Name: Configure extension installation blacklist
- Policy State: Enabled
- Policy Value: *
-
-</fixtext>
- <fix id="F-49817r3_fix"/>
- <check system="C-49513r3_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist
- 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44729">
- <title>DTBC0006 - Extension whitelist</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57563r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0006</version>
- <title>Extensions that are approved for use must be whitelisted.
-</title>
- <description>&lt;VulnDiscussion&gt;The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of &#8216;*&#8217; means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49821r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
- Policy Name: Configure extension installation whitelist
- Policy State: Enabled
- Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf
-
-Note: oiigbmnaadbkfbmpbfijlflahbdbdgdf is the extension ID for scriptno(a commonly used Chrome extension)
-
-</fixtext>
- <fix id="F-49821r3_fix"/>
- <check system="C-49515r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist
- 3. If the ExtensionInstallWhitelist key does not exist or is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44733">
- <title>DTBC0007 - Default search provider name</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57567r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0007</version>
- <title>The default search providers name must be set.</title>
- <description>&lt;VulnDiscussion&gt;Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49825r5_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
- Policy Name: Default search provider name
- Policy State: Enabled
- Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted)
-
-</fixtext>
- <fix id="F-49825r5_fix"/>
- <check system="C-49517r4_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44735">
- <title>DTBC0008 - Encrypted searching</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57569r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0008</version>
- <title>The default search provider URL must be set to perform encrypted searches.
-</title>
- <description>&lt;VulnDiscussion&gt;Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49827r5_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
- Policy Name: Default search provider search URL
- Policy State: Enabled
- Policy Value: must be set to an organization approved encrypted search string
- (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} )
-
-</fixtext>
- <fix id="F-49827r5_fix"/>
- <check system="C-49519r7_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44737">
- <title>DTBC0009 - Default search provider</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57571r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0009</version>
- <title>Default search provider must be enabled.</title>
- <description>&lt;VulnDiscussion&gt;Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49829r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
- Policy Name: Enable the default search provider
- Policy State: Enabled
- Policy Value: N/A
-
-</fixtext>
- <fix id="F-49829r3_fix"/>
- <check system="C-49521r3_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44739">
- <title>DTBC0010 - Disable cleartext passwords</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57573r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0010</version>
- <title>Use of cleartext passwords in the Password Manager must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Cleartext passwords would allow another individual to see password via shoulder surfing. This policy controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. By not configuring this policy, users can view their stored passwords in clear text in the password manager.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49831r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password manager\
- Policy Name: Allow users to show passwords in Password Manager
- Policy State: Disabled
- Policy Value: N/A
-
-</fixtext>
- <fix id="F-49831r3_fix"/>
- <check system="C-49523r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If PasswordManagerAllowShowPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the PasswordManagerAllowShowPasswords value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44741">
- <title>DTBC0011 - Password Manager</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57575r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0011</version>
- <title>The Password Manager must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49833r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\
- Policy Name: Enable the password manager
- Policy State: Disabled
- Policy Value: N/A
-
-</fixtext>
- <fix id="F-49833r3_fix"/>
- <check system="C-49525r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44743">
- <title>DTBC0012 - HTTP Authentication </title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57577r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0012</version>
- <title>The HTTP Authentication must be set to negotiate.</title>
- <description>&lt;VulnDiscussion&gt;Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49835r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Policies for HTTP Authentication\
- Policy Name: Supported authentication schemes
- Policy State: Enabled
- Policy Value: negotiate
-</fixtext>
- <fix id="F-49835r3_fix"/>
- <check system="C-49527r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If AuthSchemes is not displayed under the Policy Name column or it is not set to negotiate under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome
- 3. If the AuthSchemes value name does not exist or its value data is not set to negotiate, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44745">
- <title>DTBC0013 - Outdated plugins</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57579r1_rule" severity="high" weight="10.0">
- <version>DTBC-0013</version>
- <title>The running of outdated plugins must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49837r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Allow running plugins that are outdated
- Policy State: Disabled
- Policy Value: N/A
-</fixtext>
- <fix id="F-49837r3_fix"/>
- <check system="C-49529r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome
- 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44749">
- <title>DTBC0014 - Plugins requiring authorization</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57583r1_rule" severity="high" weight="10.0">
- <version>DTBC-0014</version>
- <title>Plugins requiring authorization must ask for user permission.</title>
- <description>&lt;VulnDiscussion&gt;Policy allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated will always run. If this setting is disabled or not set, users will be not be asked for permission to run plugins that require authorization. These are plugins that can compromise security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49839r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Always runs plugins that require authorization
- Policy State: Disabled
- Policy Value: N/A
-</fixtext>
- <fix id="F-49839r3_fix"/>
- <check system="C-49531r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If AlwaysAuthorizePlugins is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the AlwaysAuthorizePlugins value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44751">
- <title>DTBC0015 - Third party cookies</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57585r1_rule" severity="low" weight="10.0">
- <version>DTBC-0015</version>
- <title>Third party cookies must be blocked.</title>
- <description>&lt;VulnDiscussion&gt;Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49841r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Block third party cookies
- Policy State: Enabled
- Policy Value: N/A
-</fixtext>
- <fix id="F-49841r3_fix"/>
- <check system="C-49533r3_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If BlockThirdPartyCookies is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the BlockThirdPartyCookies value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44753">
- <title>DTBC0017 - Disable background processing</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57587r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0017</version>
- <title>Background processing must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49845r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Continue running background apps when Google Chrome is closed
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49845r3_fix"/>
- <check system="C-49535r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44757">
- <title>DTBC0019 - 3D Graphics APIs</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57591r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0019</version>
- <title>3D Graphics APIs must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs. Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49849r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Disable support for 3D graphics APIs
- Policy State: Enabled
- Policy Value: N/A</fixtext>
- <fix id="F-49849r3_fix"/>
- <check system="C-49539r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If Disable3DAPIs is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the Disable3DAPIs value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44759">
- <title>DTBC0020 - Google Data Synchronization</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57593r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0020</version>
- <title>Google Data Synchronization must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49851r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Disable synchronization of data with Google
- Policy State: Enabled
- Policy Value: N/A</fixtext>
- <fix id="F-49851r3_fix"/>
- <check system="C-49541r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44761">
- <title>DTBC0021 - URL protocol schemas</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57595r2_rule" severity="medium" weight="10.0">
- <version>DTBC-0021</version>
- <title>The URL protocol schema javascript must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols).
-This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49853r5_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Block access to a list of URLs
- Policy State: Enabled
- Policy Value 1: javascript://*</fixtext>
- <fix id="F-49853r5_fix"/>
- <check system="C-49543r4_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist
- 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding.
-
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44763">
- <title>DTBC0022 - AutoComplete for forms</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57597r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0022</version>
- <title>AutoFill must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49855r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Enable AutoFill
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49855r3_fix"/>
- <check system="C-49545r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If AutoFillEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the AutoFillEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44765">
- <title>DTBC0023 - Cloud print sharing</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57599r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0023</version>
- <title>Cloud print sharing must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it&#8217;s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49857r4_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Enable Google Cloud Print proxy
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49857r4_fix"/>
- <check system="C-49547r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44769">
- <title>DTBC0025 - Network prediction</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57603r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0025</version>
- <title>Network prediction must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49859r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Enable network prediction
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49859r3_fix"/>
- <check system="C-49549r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DnsPrefetchingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DnsPrefetchingEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44771">
- <title>DTBC0026 - Metrics reporting</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57605r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0026</version>
- <title>Metrics reporting to Google must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49861r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Enable reporting of usage and crash-related data
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49861r2_fix"/>
- <check system="C-49551r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44773">
- <title>DTBC0027 - Search suggestions</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57607r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0027</version>
- <title>Search suggestions must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49863r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Enable search suggestions
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49863r2_fix"/>
- <check system="C-49553r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44775">
- <title>DTBC0029 - Import of saved passwords</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57609r2_rule" severity="medium" weight="10.0">
- <version>DTBC-0029</version>
- <title>Importing of saved passwords must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49865r3_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Import saved passwords from default browser on first run
- Policy State: Disabled
- Policy Value: False</fixtext>
- <fix id="F-49865r3_fix"/>
- <check system="C-49555r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44777">
- <title>DTBC0030 - Incognito Mode</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57611r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0030</version>
- <title>Incognito mode must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.
- 0 = Incognito mode available.
- 1 = Incognito mode disabled.
- 2 = Incognito mode forced.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49867r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Incognito mode availability
- Policy State: Enabled
- Policy Value: Incognito mode disabled</fixtext>
- <fix id="F-49867r2_fix"/>
- <check system="C-49557r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44781">
- <title>DTBC0034 - Plugin blacklist</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57615r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0034</version>
- <title>Plugins must be disabled by default.</title>
- <description>&lt;VulnDiscussion&gt;Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters * and ? can be used to match sequences of arbitrary characters. * matches an arbitrary number of characters while ? specifies an optional single character, i.e. matches zero or one characters. The escape character is \, so to match actual *, ?, or \ characters, you can put a \ in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in about:plugins and users cannot enable them. Note that this policy can be overridden by &#8216;EnabledPlugins&#8217; and &#8216;DisabledPluginsExceptions&#8217;. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49873r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Specify a list of disabled plugins
- Policy State: Enabled
- Policy Value: *</fixtext>
- <fix id="F-49873r2_fix"/>
- <check system="C-49561r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DisabledPlugins is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\DisabledPlugins
- 3. If the DisabledPlugins key does not exist, or the 1 value name does not exist under that key and the value data is not set to * then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44783">
- <title>DTBC0035 - Approved plugins</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57617r2_rule" severity="medium" weight="10.0">
- <version>DTBC-0035</version>
- <title>Plugins approved for use must be enabled.</title>
- <description>&lt;VulnDiscussion&gt;Policy specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\', so to match actual '*', '?', or '\' characters, you can put a '\' in front of them. The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them. Note that this policy overrides both &#8216;DisabledPlugins &#8216;and &#8216;DisabledPluginsExceptions&#8217;. If this policy is left not set the user can disable any plugin installed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49875r5_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Specify a list of enabled plugins
- Policy State: Enabled
- Policy Value 1: Shockwave Flash
- Policy Value 2: Chrome PDF Viewer
- Policy Value 3: Silverlight
- Policy Value 4: Java*</fixtext>
- <fix id="F-49875r5_fix"/>
- <check system="C-49563r6_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If EnabledPlugins is not displayed under the Policy Name column or does not contain a list of administrator approved Plugins under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\EnabledPlugins
- 3. If the EnabledPlugins key does not exist and does not contain a set of administrator approved Plugins then this is a finding.
-
-
-Suggested: the set or subset of Shockwave Flash, Chrome PDF Viewer, Silverlight, Java*
-
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44787">
- <title>DTBC0036 - Automatic plugin search and installation</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57621r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0036</version>
- <title>Automated installation of missing plugins must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49877r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Specify whether the plugin finder should be disabled
- Policy State: Enabled
- Policy Value: N/A
-</fixtext>
- <fix id="F-49877r2_fix"/>
- <check system="C-49565r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If DisablePluginFinder is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the DisablePluginFinder value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44789">
- <title>DTBC0037 - Online revocation checks</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57623r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0037</version>
- <title>Online revocation checks must be done.</title>
- <description>&lt;VulnDiscussion&gt;By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49879r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Whether online OCSP/CRL checks are performed
- Policy State: Enabled
- Policy Value: N/A
-</fixtext>
- <fix id="F-49879r2_fix"/>
- <check system="C-49567r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44791">
- <title>DTBC0038 - Safe browsing</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57625r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0038</version>
- <title>Safe Browsing must be enabled,</title>
- <description>&lt;VulnDiscussion&gt;Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49881r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Enable Safe Browsing
- Policy State: Enabled
- Policy Value: N/A</fixtext>
- <fix id="F-49881r2_fix"/>
- <check system="C-49569r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44793">
- <title>DTBC0039 - History</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57627r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0039</version>
- <title>Browser history must be saved.</title>
- <description>&lt;VulnDiscussion&gt;This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49883r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Disable saving browser history
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49883r2_fix"/>
- <check system="C-49571r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44795">
- <title>DTBC0040 - Plugin execution</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57629r2_rule" severity="medium" weight="10.0">
- <version>DTBC-0040</version>
- <title>Default behavior must block webpages from automatically running plugins.</title>
- <description>&lt;VulnDiscussion&gt;This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it.
- 1 = Allow all sites to automatically run plugins
- 2 = Block all plugins
- 3 = Click to play.
-&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49885r4_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
- Policy Name: Default plugins setting
- Policy State: Enabled
- Policy Value: Click to play</fixtext>
- <fix id="F-49885r4_fix"/>
- <check system="C-49573r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox(address bar) type chrome://policy
- 2. If the policy 'DefaultPluginsSetting' is not shown or is not set to 'Click to play', this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting
- 3. If this key does not exist or is not set to 3 this is a finding.
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44799">
- <title>DTBC0045 - Per session cookies</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57633r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0045</version>
- <title>Session only based cookies must be disabled.</title>
- <description>&lt;VulnDiscussion&gt;Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49889r2_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
- Policy Name: Allow session only cookies on these sites
- Policy State: Disabled
- Policy Value: N/A</fixtext>
- <fix id="F-49889r2_fix"/>
- <check system="C-49577r2_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox(address bar) type chrome://policy
- 2. If the policy 'CookiesSessionOnlyForUrls' does not show up or has any defined values, this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls
- 3. If this key does not exist or has any defined values this is a finding
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44801">
- <title>DTBC0048 - Set home page URL</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57635r2_rule" severity="medium" weight="10.0">
- <version>DTBC-0048</version>
- <title>The home page must be set to a trusted site.</title>
- <description>&lt;VulnDiscussion&gt;When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser. The browser must have an organizationally approved default home page. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49891r4_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Home page
- Policy Name: Configure the home page URL
- Policy State: Enabled
- Policy Value: An organizationally approved default home page.</fixtext>
- <fix id="F-49891r4_fix"/>
- <check system="C-49579r3_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If HomepageLocation is not displayed under the Policy Name column or it is not set to an organizationally approved default home page.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the HomepageLocation value name does not exist or its value data is not set to an organizationally approved default home page.</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-44805">
- <title>DTBC0050 - Auto updates</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-57639r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0050</version>
- <title>Browser must support auto-updates.</title>
- <description>&lt;VulnDiscussion&gt;One of the most effective defenses against exploitation of browser vulnerabilities is to ensure the version of the browser is current. Frequent updates provide corrections to discovered vulnerabilities and the timely update reduces the window for zero day attacks. Automatic installation of updates and patches is the most effective method for keeping the browser software current. The browser must have the capability to install software updates and patches automatically. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-49895r3_fix">Windows registry:
- 1. Start regedit
- 2. Navigate to Key Path: HKLM\Software\Policies\Google\Update
- Value Name: AutoUpdateCheckPeroidMinutes
- Value Type: Boolean (REG_DWORD)
- Value Data: 43200 or less, but not 0.</fixtext>
- <fix id="F-49895r3_fix"/>
- <check system="C-49583r1_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Update\
- 3. If the AutoUpdateCheckPeriodMinutes value name does not exist or its value is set to 0 or greater than 43200, this is a finding.
-
-</check-content>
- </check>
- </Rule>
- </Group>
- <Group id="V-52795">
- <title>DTBC0051 - Plugins allowed for urls</title>
- <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
- <Rule id="SV-67011r1_rule" severity="medium" weight="10.0">
- <version>DTBC-0051</version>
- <title>URLs must be whitelisted for plugin use</title>
- <description>&lt;VulnDiscussion&gt;&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
- <reference>
- <dc:title>DPMS Target Google Chrome Current</dc:title>
- <dc:publisher>DISA FSO</dc:publisher>
- <dc:type>DPMS Target</dc:type>
- <dc:subject>Google Chrome Current</dc:subject>
- <dc:identifier>2591</dc:identifier>
- </reference>
- <fixtext fixref="F-57613r1_fix">Windows group policy:
- 1. Open the group policy editor tool with gpedit.msc
- 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings
- Policy Name: Allow plugins on these sites
- Policy State: Enabled
- Policy Value 1: *.mil
- Policy Value 2: *.gov
-</fixtext>
- <fix id="F-57613r1_fix"/>
- <check system="C-54515r1_chk">
- <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Google Chrome Current Windows.xml"/>
- <check-content>Universal method:
- 1. In the omnibox (address bar) type chrome://policy
- 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding.
-
-Windows method:
- 1. Start regedit
- 2. Navigate to HKLM\Software\Policies\Google\Chrome\
- 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding.
-
-Suggested: the set or subset of *.mil and *.gov
-</check-content>
- </check>
- </Rule>
- </Group>
-</Benchmark>
-
diff --git a/shared/references/disa-google-chrome-browser-v2r3-stig.xml b/shared/references/disa-google-chrome-browser-v2r3-stig.xml
new file mode 100644
index 00000000000..02f852083b1
--- /dev/null
+++ b/shared/references/disa-google-chrome-browser-v2r3-stig.xml
@@ -0,0 +1,589 @@
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="Google_Chrome_Current_Windows" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-04-20">accepted</status><title>Google Chrome Current Windows Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 3 Benchmark Date: 23 Apr 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>2</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-221558" selected="true" /><select idref="V-221559" selected="true" /><select idref="V-221561" selected="true" /><select idref="V-221562" selected="true" /><select idref="V-221563" selected="true" /><select idref="V-221564" selected="true" /><select idref="V-221565" selected="true" /><select idref="V-221566" selected="true" /><select idref="V-221567" selected="true" /><select idref="V-221570" selected="true" /><select idref="V-221571" selected="true" /><select idref="V-221572" selected="true" /><select idref="V-221573" selected="true" /><select idref="V-221574" selected="true" /><select idref="V-221575" selected="true" /><select idref="V-221576" selected="true" /><select idref="V-221577" selected="true" /><select idref="V-221578" selected="true" /><select idref="V-221579" selected="true" /><select idref="V-221580" selected="true" /><select idref="V-221581" selected="true" /><select idref="V-221582" selected="true" /><select idref="V-221584" selected="true" /><select idref="V-221586" selected="true" /><select idref="V-221587" selected="true" /><select idref="V-221588" selected="true" /><select idref="V-221590" selected="true" /><select idref="V-221591" selected="true" /><select idref="V-221592" selected="true" /><select idref="V-221593" selected="true" /><select idref="V-221594" selected="true" /><select idref="V-221595" selected="true" /><select idref="V-221596" selected="true" /><select idref="V-221597" selected="true" /><select idref="V-221598" selected="true" /><select idref="V-221599" selected="true" /><select idref="V-226401" selected="true" /><select idref="V-226402" selected="true" /><select idref="V-226403" selected="true" /><select idref="V-226404" selected="true" /><select idref="V-234701" selected="true" /><select idref="V-241787" selected="true" /></Profile><Group id="V-221558"><title>SRG-APP-000039</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221558r615937_rule" weight="10.0" severity="medium"><version>DTBC-0001</version><title>Firewall traversal from remote host must be disabled.</title><description>&lt;VulnDiscussion&gt;Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57545</ident><ident system="http://cyber.mil/legacy">V-44711</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-23262r415802_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options
+ Policy Name: Enable firewall traversal from remote access host
+ Policy State: Disabled
+ Policy Value: N/A
+
+</fixtext><fix id="F-23262r415802_fix" /><check system="C-23273r415801_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
+
+Windows registry:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221559"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221559r615937_rule" weight="10.0" severity="medium"><version>DTBC-0002</version><title>Site tracking users location must be disabled.</title><description>&lt;VulnDiscussion&gt;Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the users physical location. Tracking the users physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.
+ 1 = Allow sites to track the users physical location
+ 2 = Do not allow any site to track the users physical location
+ 3 = Ask whenever a site wants to track the users physical location&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57557</ident><ident system="http://cyber.mil/legacy">V-44723</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-23263r478200_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
+ Policy Name: Default geolocation setting
+ Policy State: Enabled
+ Policy Value: Do not allow any site to track the users' physical location
+
+</fixtext><fix id="F-23263r478200_fix" /><check system="C-23274r478199_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221561"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221561r615937_rule" weight="10.0" severity="medium"><version>DTBC-0004</version><title>Sites ability to show pop-ups must be disabled.</title><description>&lt;VulnDiscussion&gt;Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to 2 to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.
+ 1 = Allow all sites to show pop-ups
+ 2 = Do not allow any site to show pop-ups&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57553</ident><ident system="http://cyber.mil/legacy">V-44719</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23265r478203_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
+ Policy Name: Default popups setting
+ Policy State: Enabled
+ Policy Value: Do not allow any site to show popups
+
+</fixtext><fix id="F-23265r478203_fix" /><check system="C-23276r570454_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding.
+
+Note: If AO Approved exceptions to this rule have been enabled, this is not a finding.</check-content></check></Rule></Group><Group id="V-221562"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221562r684815_rule" weight="10.0" severity="medium"><version>DTBC-0005</version><title>Extensions installation must be blocklisted by default.</title><description>&lt;VulnDiscussion&gt;Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blocklisted. A blocklist value of '*' means all extensions are blocklisted unless they are explicitly listed in the allowlist. If this policy is left not set the user can install any extension in Google Chrome.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57561</ident><ident system="http://cyber.mil/legacy">V-44727</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23266r684814_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
+ Policy Name: Configure extension installation blocklist
+ Policy State: Enabled
+ Policy Value: *</fixtext><fix id="F-23266r684814_fix" /><check system="C-23277r684813_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If ExtensionInstallBlocklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist
+ 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding. </check-content></check></Rule></Group><Group id="V-221563"><title>SRG-APP-000210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221563r684818_rule" weight="10.0" severity="medium"><version>DTBC-0006</version><title>Extensions that are approved for use must be allowlisted.</title><description>&lt;VulnDiscussion&gt;The allowlist should only contain organizationally approved extensions. This is to prevent a user from accidently allowlisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the allowlist. By default, no extensions are allowlisted. If all extensions have been blacklisted by policy, then the allowlist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are allowlisted, then no extensions can be installed when combined with blacklisting all extensions.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57563</ident><ident system="http://cyber.mil/legacy">V-44729</ident><ident system="http://cyber.mil/cci">CCI-001170</ident><fixtext fixref="F-23267r684817_fix">Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\
+Policy Name: Configure extension installation allowlist
+Policy State: Enabled
+Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf
+
+Note: oiigbmnaadbkfbmpbfijlflahbdbdgdfis the extension ID for scriptno (a commonly used Chrome extension), other extension IDs may vary.</fixtext><fix id="F-23267r684817_fix" /><check system="C-23278r684816_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If ExtensionInstallAllowlist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to the key HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist
+3. If the ExtensionInstallAllowlist key is not set to 1 and oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator-approved extension IDs, then this is a finding.</check-content></check></Rule></Group><Group id="V-221564"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221564r615937_rule" weight="10.0" severity="medium"><version>DTBC-0007</version><title>The default search providers name must be set.</title><description>&lt;VulnDiscussion&gt;Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57567</ident><ident system="http://cyber.mil/legacy">V-44733</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23268r415820_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
+ Policy Name: Default search provider name
+ Policy State: Enabled
+ Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted)
+
+</fixtext><fix id="F-23268r415820_fix" /><check system="C-23279r415819_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221565"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221565r684821_rule" weight="10.0" severity="medium"><version>DTBC-0008</version><title>The default search provider URL must be set to perform encrypted searches.</title><description>&lt;VulnDiscussion&gt;Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57569</ident><ident system="http://cyber.mil/legacy">V-44735</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23269r684820_fix">If the system is on the SIPRNet, this requirement is NA.
+
+Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
+ Policy Name: Default search provider search URL
+ Policy State: Enabled
+ Policy Value: Must be set to an organization-approved encrypted search string
+ (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} )</fixtext><fix id="F-23269r684820_fix" /><check system="C-23280r684819_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+
+Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization-approved encrypted search string (ex. https://www.google.com/?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization-approved encrypted search string (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) this is a finding.</check-content></check></Rule></Group><Group id="V-221566"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221566r615937_rule" weight="10.0" severity="medium"><version>DTBC-0009</version><title>Default search provider must be enabled.</title><description>&lt;VulnDiscussion&gt;Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57571</ident><ident system="http://cyber.mil/legacy">V-44737</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23270r415826_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\
+ Policy Name: Enable the default search provider
+ Policy State: Enabled
+ Policy Value: N/A
+
+</fixtext><fix id="F-23270r415826_fix" /><check system="C-23281r415825_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding.
+
+Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.</check-content></check></Rule></Group><Group id="V-221567"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221567r615937_rule" weight="10.0" severity="medium"><version>DTBC-0011</version><title>The Password Manager must be disabled.</title><description>&lt;VulnDiscussion&gt;Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57575</ident><ident system="http://cyber.mil/legacy">V-44741</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23271r415829_fix">Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\
+Policy Name: Enable Saving Passwords to the Password Manager
+Policy State: Disabled
+Policy Value: N/A</fixtext><fix id="F-23271r415829_fix" /><check system="C-23282r415828_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221570"><title>SRG-APP-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221570r615937_rule" weight="10.0" severity="medium"><version>DTBC-0017</version><title>Background processing must be disabled.</title><description>&lt;VulnDiscussion&gt;Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57587</ident><ident system="http://cyber.mil/legacy">V-44753</ident><ident system="http://cyber.mil/cci">CCI-001695</ident><fixtext fixref="F-23274r415838_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Continue running background apps when Google Chrome is closed
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23274r415838_fix" /><check system="C-23285r415837_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221571"><title>SRG-APP-000047</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221571r615937_rule" weight="10.0" severity="medium"><version>DTBC-0020</version><title>Google Data Synchronization must be disabled.</title><description>&lt;VulnDiscussion&gt;Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57593</ident><ident system="http://cyber.mil/legacy">V-44759</ident><ident system="http://cyber.mil/cci">CCI-001374</ident><fixtext fixref="F-23275r415841_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Disable synchronization of data with Google
+ Policy State: Enabled
+ Policy Value: N/A</fixtext><fix id="F-23275r415841_fix" /><check system="C-23286r415840_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221572"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221572r615937_rule" weight="10.0" severity="medium"><version>DTBC-0021</version><title>The URL protocol schema javascript must be disabled.</title><description>&lt;VulnDiscussion&gt;Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols).
+This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57595</ident><ident system="http://cyber.mil/legacy">V-44761</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23276r478206_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Block access to a list of URLs
+ Policy State: Enabled
+ Policy Value 1: javascript://*</fixtext><fix id="F-23276r478206_fix" /><check system="C-23287r478205_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist
+ 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding.
+
+</check-content></check></Rule></Group><Group id="V-221573"><title>SRG-APP-000047</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221573r615937_rule" weight="10.0" severity="medium"><version>DTBC-0023</version><title>Cloud print sharing must be disabled.</title><description>&lt;VulnDiscussion&gt;Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share its printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57599</ident><ident system="http://cyber.mil/legacy">V-44765</ident><ident system="http://cyber.mil/cci">CCI-001374</ident><fixtext fixref="F-23277r478209_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Enable Google Cloud Print proxy
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23277r478209_fix" /><check system="C-23288r478208_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.</check-content></check></Rule></Group><Group id="V-221574"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221574r615937_rule" weight="10.0" severity="medium"><version>DTBC-0025</version><title>Network prediction must be disabled.</title><description>&lt;VulnDiscussion&gt;Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57603</ident><ident system="http://cyber.mil/legacy">V-44769</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-23278r415850_fix">Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Enable network prediction
+Policy State: Enabled
+Policy Value: Do not predict network actions on any network connection</fixtext><fix id="F-23278r415850_fix" /><check system="C-23289r415849_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If "NetworkPredictionOptions" is not displayed under the “Policy Name” column or it is not set to "2" under the “Policy Value” column, this is a finding.
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the "NetworkPredictionOptions" value name does not exist or its value data is not set to "2," this is a finding.</check-content></check></Rule></Group><Group id="V-221575"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221575r615937_rule" weight="10.0" severity="medium"><version>DTBC-0026</version><title>Metrics reporting to Google must be disabled.</title><description>&lt;VulnDiscussion&gt;Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57605</ident><ident system="http://cyber.mil/legacy">V-44771</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23279r415853_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Enable reporting of usage and crash-related data
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23279r415853_fix" /><check system="C-23290r415852_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding.
+
+Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.</check-content></check></Rule></Group><Group id="V-221576"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221576r615937_rule" weight="10.0" severity="medium"><version>DTBC-0027</version><title>Search suggestions must be disabled.</title><description>&lt;VulnDiscussion&gt;Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57607</ident><ident system="http://cyber.mil/legacy">V-44773</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23280r415856_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Enable search suggestions
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23280r415856_fix" /><check system="C-23291r415855_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221577"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221577r615937_rule" weight="10.0" severity="medium"><version>DTBC-0029</version><title>Importing of saved passwords must be disabled.</title><description>&lt;VulnDiscussion&gt;Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57609</ident><ident system="http://cyber.mil/legacy">V-44775</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23281r415859_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Import saved passwords from default browser on first run
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23281r415859_fix" /><check system="C-23292r415858_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.</check-content></check></Rule></Group><Group id="V-221578"><title>SRG-APP-000080</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221578r615937_rule" weight="10.0" severity="medium"><version>DTBC-0030</version><title>Incognito mode must be disabled.</title><description>&lt;VulnDiscussion&gt;Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.
+ 0 = Incognito mode available.
+ 1 = Incognito mode disabled.
+ 2 = Incognito mode forced.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57611</ident><ident system="http://cyber.mil/legacy">V-44777</ident><ident system="http://cyber.mil/cci">CCI-000166</ident><fixtext fixref="F-23282r415862_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Incognito mode availability
+ Policy State: Enabled
+ Policy Value: Incognito mode disabled</fixtext><fix id="F-23282r415862_fix" /><check system="C-23293r415861_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221579"><title>SRG-APP-000605</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221579r615937_rule" weight="10.0" severity="medium"><version>DTBC-0037</version><title>Online revocation checks must be done.</title><description>&lt;VulnDiscussion&gt;By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57623</ident><ident system="http://cyber.mil/legacy">V-44789</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-23283r415865_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Whether online OCSP/CRL checks are performed
+ Policy State: Enabled
+ Policy Value: N/A
+</fixtext><fix id="F-23283r415865_fix" /><check system="C-23294r415864_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221580"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221580r684826_rule" weight="10.0" severity="medium"><version>DTBC-0038</version><title>Safe Browsing must be enabled,</title><description>&lt;VulnDiscussion&gt;Allows you to control whether Google Chrome's Safe Browsing feature is enabled and the mode it operates in.
+
+If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active.
+
+If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active in the standard mode.
+
+If this policy is set to 'EnhancedProtection' (value 2), Safe Browsing is always active in the enhanced mode, which provides better security, but requires sharing more browsing information with Google.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57625</ident><ident system="http://cyber.mil/legacy">V-44791</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-23284r684825_fix">Windows group policy:
+ 1. Open the “group policy editor” tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing Settings
+ Policy Name: Safe Browsing Protection Level
+ Policy State: Enabled
+ Policy Value: StandardProtection or EnhancedProtection</fixtext><fix id="F-23284r684825_fix" /><check system="C-23295r684824_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If SafeBrowsingProtectionLevel is not displayed under the Policy Name column or it is not set to 1 or 2 under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the SafeBrowsingProtectionLevel value name does not exist or its value data is not set to 1 or 2, then this is a finding.</check-content></check></Rule></Group><Group id="V-221581"><title>SRG-APP-000231</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221581r615937_rule" weight="10.0" severity="medium"><version>DTBC-0039</version><title>Browser history must be saved.</title><description>&lt;VulnDiscussion&gt;This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57627</ident><ident system="http://cyber.mil/legacy">V-44793</ident><ident system="http://cyber.mil/cci">CCI-001199</ident><fixtext fixref="F-23285r415871_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Disable saving browser history
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23285r415871_fix" /><check system="C-23296r415870_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding.
+</check-content></check></Rule></Group><Group id="V-221582"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221582r615937_rule" weight="10.0" severity="medium"><version>DTBC-0040</version><title>Default behavior must block webpages from automatically running plugins.</title><description>&lt;VulnDiscussion&gt;This policy allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites. If this policy is left not set, the user will be able to change this setting manually.
+ 1 = Allow all sites to automatically run Flash plugin
+ 2 = Block the Flash plugin
+ 3 = Click to play&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57629</ident><ident system="http://cyber.mil/legacy">V-44795</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23286r415874_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
+ Policy Name: Default Flash setting
+ Policy State: Enabled
+ Policy Value: Click to play</fixtext><fix id="F-23286r415874_fix" /><check system="C-23297r415873_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If the policy "DefaultPluginsSetting" is not shown or is not set to "3", this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting
+ 3. If this key "DefaultPluginsSetting" does not exist or is not set to "3", this is a finding.</check-content></check></Rule></Group><Group id="V-221584"><title>SRG-APP-000456</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221584r615937_rule" weight="10.0" severity="medium"><version>DTBC-0050</version><title>The version of Google Chrome running on the system must be a supported version.</title><description>&lt;VulnDiscussion&gt;Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-57639</ident><ident system="http://cyber.mil/legacy">V-44805</ident><ident system="http://cyber.mil/cci">CCI-002605</ident><fixtext fixref="F-23288r415880_fix">Install a supported version of Google Chrome.</fixtext><fix id="F-23288r415880_fix" /><check system="C-23299r415879_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://settings/help
+2. Cross-reference the build information displayed with the Google Chrome site to identify, at minimum, the oldest supported build available. As of July 2019, this is 74.x.x.
+3. If the installed version of Chrome is not supported by Google, this is a finding.</check-content></check></Rule></Group><Group id="V-221586"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221586r615937_rule" weight="10.0" severity="medium"><version>DTBC-0052</version><title>Deletion of browser history must be disabled.</title><description>&lt;VulnDiscussion&gt;Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-89845</ident><ident system="http://cyber.mil/legacy">V-75165</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23290r415886_fix">Windows group policy:
+ 1. Open the group policy editor tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Enable deleting browser and download history
+ Policy State: Disabled
+ Policy Value: N/A</fixtext><fix id="F-23290r415886_fix" /><check system="C-23301r415885_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If the policy "AllowDeletingBrowserHistory" is not shown or is not set to false, this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "AllowDeletingBrowserHistory" value name does not exist or its value data is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-221587"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221587r615937_rule" weight="10.0" severity="medium"><version>DTBC-0053</version><title>Prompt for download location must be enabled.</title><description>&lt;VulnDiscussion&gt;If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-94633</ident><ident system="http://cyber.mil/legacy">V-79929</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23291r415889_fix">Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Ask where to save each file before downloading
+ Policy State: Enabled
+ Policy Value: N/A</fixtext><fix id="F-23291r415889_fix" /><check system="C-23302r415888_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome:// policy
+2. If "PromptForDownloadLocation" is not displayed under the "Policy Name" column or it is not set to "true" under the "Policy Value" column, then this is a finding.
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the "PromptForDownloadLocation" value name does not exist or its value data is not set to "1", this is a finding.</check-content></check></Rule></Group><Group id="V-221588"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221588r615937_rule" weight="10.0" severity="medium"><version>DTBC-0055</version><title>Download restrictions must be configured.</title><description>&lt;VulnDiscussion&gt;Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the "Block dangerous downloads" option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings. When the "Block potentially dangerous downloads" option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads. When the "Block all downloads" option is chosen, all downloads are blocked. When this policy is not set, (or the "No special restrictions" option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results.
+
+Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options. See https://developers.google.com/safe-browsing for more info on SafeBrowsing.
+0 = No special restrictions
+1 = Block dangerous downloads
+2 = Block potentially dangerous downloads
+3 = Block all downloads&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-94635</ident><ident system="http://cyber.mil/legacy">V-79931</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23292r415892_fix">If the system is on the SIPRNet, this requirement is NA.
+Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Allow download restrictions
+Policy State: 1 or 2
+Policy Value: N/A</fixtext><fix id="F-23292r415892_fix" /><check system="C-23303r415891_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>If the system is on the SIPRNet, this requirement is NA.
+Universal method:
+1. In the omnibox (address bar) type chrome:// policy
+2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is not set to "1" or "2" under the "Policy Value" column, then this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the "DownloadRestrictions" value name does not exist or its value data is not set to "1" or "2", then this is a finding.</check-content></check></Rule></Group><Group id="V-221590"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221590r615937_rule" weight="10.0" severity="medium"><version>DTBC-0057</version><title>Safe Browsing Extended Reporting must be disabled.</title><description>&lt;VulnDiscussion&gt;Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting. Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites.
+If the setting is set to "True", then reports will be created and sent whenever necessary (such as when a security interstitial is shown).
+If the setting is set to "False", reports will never be sent.
+If this policy is set to "True" or "False", the user will not be able to modify the setting.
+If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96299</ident><ident system="http://cyber.mil/legacy">V-81585</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-23294r415898_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing settings\
+Policy Name: Enable Safe Browsing Extended Reporting
+Policy State: Disabled
+Policy Value: N/A</fixtext><fix id="F-23294r415898_fix" /><check system="C-23305r415897_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "SafeBrowsingExtendedReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "SafeBrowsingExtendedReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-221591"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221591r615937_rule" weight="10.0" severity="medium"><version>DTBC-0058</version><title>WebUSB must be disabled.</title><description>&lt;VulnDiscussion&gt;Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices.
+If this policy is left not set, ”3” will be used, and the user will be able to change it.
+2 = Do not allow any site to request access to USB devices via the WebUSB API
+3 = Allow sites to ask the user to grant access to a connected USB device&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96301</ident><ident system="http://cyber.mil/legacy">V-81587</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23295r415901_fix">Windows group policy:
+ 1. Open the “group policy editor” tool with gpedit.msc
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings
+ Policy Name: Control use of the WebUSB API
+ Policy State: Enabled
+ Policy Value: 2
+</fixtext><fix id="F-23295r415901_fix" /><check system="C-23306r415900_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "DefaultWebUsbGuardSetting" is not displayed under the "Policy Name" column or it is not set to "2", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "DefaultWebUsbGuardSetting" value name does not exist or its value data is not set to "2", this is a finding.</check-content></check></Rule></Group><Group id="V-221592"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221592r615937_rule" weight="10.0" severity="medium"><version>DTBC-0060</version><title>Chrome Cleanup must be disabled.</title><description>&lt;VulnDiscussion&gt;If set to “False”, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled.
+If set to “True” or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled.
+This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96305</ident><ident system="http://cyber.mil/legacy">V-81591</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23296r415904_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome
+Policy Name: Enables Chrome Cleanup on Windows
+Policy State: Disabled
+Policy Value: N/A</fixtext><fix id="F-23296r415904_fix" /><check system="C-23307r415903_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "ChromeCleanupEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "ChromeCleanupEnabled" value name does not exist or its value data is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-221593"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221593r615937_rule" weight="10.0" severity="medium"><version>DTBC-0061</version><title>Chrome Cleanup reporting must be disabled.</title><description>&lt;VulnDiscussion&gt;If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata and registry keys as described by the Chrome Privacy Whitepaper.
+If set to “false”, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so.
+If set to “true”, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it.
+This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96307</ident><ident system="http://cyber.mil/legacy">V-81593</ident><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-23297r415907_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome
+Policy Name: Control how Chrome Cleanup reports data to Google
+Policy State: Disabled
+Policy Value: N/A</fixtext><fix id="F-23297r415907_fix" /><check system="C-23308r415906_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "ChromeCleanupReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "ChromeCleanupReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-221594"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221594r615937_rule" weight="10.0" severity="medium"><version>DTBC-0063</version><title>Google Cast must be disabled.</title><description>&lt;VulnDiscussion&gt;If this policy is set to ”True” or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the “Cast toolbar” icon.
+If this policy set to ”False”, Google Cast will be disabled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96311</ident><ident system="http://cyber.mil/legacy">V-81597</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23298r415910_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Google Cast
+Policy Name: Enable Google Cast
+Policy State: Disabled
+Policy Value: N/A</fixtext><fix id="F-23298r415910_fix" /><check system="C-23309r415909_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "EnableMediaRouter" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "EnableMediaRouter" value name does not exist or its value data is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-221595"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221595r615937_rule" weight="10.0" severity="medium"><version>DTBC-0064</version><title>Autoplay must be disabled.</title><description>&lt;VulnDiscussion&gt;Allows you to control if videos can play automatically (without user consent) with audio content in Google Chrome.
+If the policy is set to “True”, Google Chrome is allowed to autoplay media. If the policy is set to “False”, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns. By default, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96295</ident><ident system="http://cyber.mil/legacy">V-81581</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-23299r415913_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Allow media autoplay
+Policy State: Disabled
+Policy Value: N/A</fixtext><fix id="F-23299r415913_fix" /><check system="C-23310r415912_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "AutoplayAllowed" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "AutoplayAllowed" value name does not exist or its value data is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-221596"><title>SRG-APP-000210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221596r615937_rule" weight="10.0" severity="medium"><version>DTBC-0065</version><title>URLs must be whitelisted for Autoplay use.</title><description>&lt;VulnDiscussion&gt;Controls the whitelist of URL patterns that autoplay will always be enabled on.
+If the “AutoplayAllowed” policy is set to “True” then this policy will have no effect.
+If the “AutoplayAllowed” policy is set to “False” then any URL patterns set in this policy will still be allowed to play.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-96303</ident><ident system="http://cyber.mil/legacy">V-81589</ident><ident system="http://cyber.mil/cci">CCI-001170</ident><fixtext fixref="F-23300r415916_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome
+Policy Name: Allow media autoplay on a whitelist of URL patterns
+Policy State: Enabled
+Policy Value 1: [*.]mil
+Policy Value 2: [*.]gov</fixtext><fix id="F-23300r415916_fix" /><check system="C-23311r415915_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If “AutoplayWhitelist” is not displayed under the “Policy Name” column or it is not set to a list of administrator-approved URLs under the “Policy Value” column, this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the “AutoplayWhitelist” key does not exist and it does not contain a list of administrator-approved URLs, this is a finding.
+Suggested: the set or subset of [*.]mil and [*.]gov</check-content></check></Rule></Group><Group id="V-221597"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221597r615937_rule" weight="10.0" severity="medium"><version>DTBC-0066</version><title>Anonymized data collection must be disabled.</title><description>&lt;VulnDiscussion&gt;Enable URL-keyed anonymized data collection in Google Chrome and prevent users from changing this setting.
+URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better.
+If you enable this policy, URL-keyed anonymized data collection is always active.
+If you disable this policy, URL-keyed anonymized data collection is never active.
+If this policy is left not set, URL-keyed anonymized data collection will be enabled but the user will be able to change it.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-101303</ident><ident system="http://cyber.mil/legacy">V-91203</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-23301r415919_fix">Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Enable URL-keyed anonymized data collection
+Policy State: Disabled
+Policy Value: NA</fixtext><fix id="F-23301r415919_fix" /><check system="C-23312r415918_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If "UrlKeyedAnonymizedDataCollectionEnabled" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding.
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the “UrlKeyedAnonymizedDataCollectionEnabled" value name does not exist or its value data is not set to "0," this is a finding.</check-content></check></Rule></Group><Group id="V-221598"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221598r615937_rule" weight="10.0" severity="medium"><version>DTBC-0067</version><title>Collection of WebRTC event logs must be disabled.</title><description>&lt;VulnDiscussion&gt;If the policy is set to “true”, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g., Google Meet), and upload those logs to Google.
+If the policy is set to “false”, or is unset, Google Chrome may not collect nor upload such logs.
+These logs contain diagnostic information helpful when debugging issues with audio or video calls in Chrome, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs do not contain audio or video contents from the call.
+This data collection by Chrome can only be triggered by Google's web services, such as Google Hangouts or Google Meet.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-101305</ident><ident system="http://cyber.mil/legacy">V-91205</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-23302r415922_fix">Windows group policy:
+1. Open the group policy editor tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Allow collection of WebRTC event logs from Google services
+Policy State: Disabled
+Policy Value: NA</fixtext><fix id="F-23302r415922_fix" /><check system="C-23313r415921_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If "WebRtcEventLogCollectionAllowed" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding.
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the "WebRtcEventLogCollectionAllowed" value name does not exist or its value data is not set to "0," this is a finding.</check-content></check></Rule></Group><Group id="V-221599"><title>SRG-APP-000266</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-221599r615937_rule" weight="10.0" severity="low"><version>DTBC-0068</version><title>Chrome development tools must be disabled.</title><description>&lt;VulnDiscussion&gt;While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106629</ident><ident system="http://cyber.mil/legacy">V-97525</ident><ident system="http://cyber.mil/cci">CCI-001312</ident><fixtext fixref="F-23303r478215_fix">Windows group policy:
+1. Open the "group policy editor" tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome
+Policy Name: Control where Developer Tools can be used
+Policy State: Enabled
+Policy Value: Disallow usage of the Developer Tools</fixtext><fix id="F-23303r478215_fix" /><check system="C-23314r478214_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If the policy "DeveloperToolsAvailability" is not shown or is not set to "2", this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the key "DeveloperToolsAvailability" does not exist or is not set to "2", this is a finding.</check-content></check></Rule></Group><Group id="V-226401"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-226401r615937_rule" weight="10.0" severity="medium"><version>DTBC-0069</version><title>Guest Mode must be disabled.</title><description>&lt;VulnDiscussion&gt;If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode.
+
+If this policy is set to false, Google Chrome will not allow guest profiles to be started.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111829</ident><ident system="http://cyber.mil/legacy">V-102867</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-28097r478218_fix">Windows group policy:
+1. Open the "group policy editor" tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Enable guest mode in browser
+Policy State: Disabled</fixtext><fix id="F-28097r478218_fix" /><check system="C-28109r478217_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If BrowserGuestModeEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the BrowserGuestModeEnabled value name does not exist or its value data is not set to 0, this is a finding.</check-content></check></Rule></Group><Group id="V-226402"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-226402r615937_rule" weight="10.0" severity="medium"><version>DTBC-0070</version><title>AutoFill for credit cards must be disabled.</title><description>&lt;VulnDiscussion&gt;Enabling Google Chrome's AutoFill feature allows users to auto complete credit card information in web forms using previously stored information.
+If this setting is disabled, Autofill will never suggest or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web.
+
+If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111831</ident><ident system="http://cyber.mil/legacy">V-102869</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-28098r478221_fix">Windows group policy:
+1. Open the "group policy editor" tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Enable AutoFill for credit cards
+Policy State: Disabled</fixtext><fix id="F-28098r478221_fix" /><check system="C-28110r478220_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If AutofillCreditCardEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the AutofillCreditCardEnabled value name does not exist or its value data is not set to 0, this is a finding.</check-content></check></Rule></Group><Group id="V-226403"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-226403r615937_rule" weight="10.0" severity="medium"><version>DTBC-0071</version><title>AutoFill for addresses must be disabled.</title><description>&lt;VulnDiscussion&gt;Enabling Google Chrome's AutoFill feature allows users to auto complete address information in web forms using previously stored information.
+If this setting is disabled, Autofill will never suggest or fill address information, nor will it save additional address information that the user might submit while browsing the web.
+
+If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111833</ident><ident system="http://cyber.mil/legacy">V-102871</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-28099r478224_fix">Windows group policy:
+1. Open the "group policy editor" tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Enable AutoFill for addresses
+Policy State: Disabled</fixtext><fix id="F-28099r478224_fix" /><check system="C-28111r478223_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If AutofillAddressEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the AutofillAddressEnabled value name does not exist or its value data is not set to 0, this is a finding.</check-content></check></Rule></Group><Group id="V-226404"><title>SRG-APP-000206</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-226404r615937_rule" weight="10.0" severity="medium"><version>DTBC-0072</version><title>Import AutoFill form data must be disabled.</title><description>&lt;VulnDiscussion&gt;This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.
+If disabled, the autofill form data is not imported.
+
+If it is not set, the user may be asked whether to import, or importing may happen automatically.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111835</ident><ident system="http://cyber.mil/legacy">V-102873</ident><ident system="http://cyber.mil/cci">CCI-001166</ident><fixtext fixref="F-28100r478227_fix">Windows group policy:
+1. Open the "group policy editor" tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+Policy Name: Import autofill form data from default browser on first run
+Policy State: Disabled</fixtext><fix id="F-28100r478227_fix" /><check system="C-28112r478226_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If ImportAutofillFormData is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding.
+
+Windows method:
+1. Start regedit
+2. Navigate to HKLM\Software\Policies\Google\Chrome\
+3. If the ImportAutofillFormData value name does not exist or its value data is not set to 0, this is a finding.
+</check-content></check></Rule></Group><Group id="V-234701"><title>SRG-APP-000416</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234701r615937_rule" weight="10.0" severity="high"><version>DTBC-0056</version><title>Chrome must be configured to allow only TLS.</title><description>&lt;VulnDiscussion&gt;If this policy is not configured then Google Chrome uses a default minimum version, which is TLS 1.0. Otherwise, it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2".
+When set, Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored.
+"tls1" = TLS 1.0
+"tls1.1" = TLS 1.1
+"tls1.2" = TLS 1.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81583</ident><ident system="http://cyber.mil/cci">CCI-002450</ident><fixtext fixref="F-37849r622476_fix">Windows group policy:
+ 1. Open the “group policy editor” tool with gpedit.msc.
+ 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\
+ Policy Name: Minimum SSL version enabled
+ Policy State: Enabled
+ Policy Value: TLS 1.2</fixtext><fix id="F-37849r622476_fix" /><check system="C-37887r622475_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+ 1. In the omnibox (address bar) type chrome://policy
+ 2. If "SSLVersionMin" is not displayed under the "Policy Name" column or it is not set to "tls1.2", this is a finding.
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the "SSLVersionMin" value name does not exist or its value data is not set to "tls1.2", this is a finding.</check-content></check></Rule></Group><Group id="V-241787"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-241787r720329_rule" weight="10.0" severity="medium"><version>DTBC-0073</version><title>Web Bluetooth API must be disabled.</title><description>&lt;VulnDiscussion&gt;Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.
+
+Leaving the policy unset lets sites ask for access, but users can change this setting.
+
+2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
+3 = Allow sites to ask the user to grant access to a nearby Bluetooth device&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Google Chrome Current Windows</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Google Chrome Current Windows</dc:subject><dc:identifier>4081</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-34246</ident><ident system="http://cyber.mil/legacy">V-26961</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-45022r720328_fix">Windows group policy:
+1. Open the “group policy editor” tool with gpedit.msc
+2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings
+ Policy Name: Control use of the Web Bluetooth API
+ Policy State: Enabled
+ Policy Value: Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API</fixtext><fix id="F-45022r720328_fix" /><check system="C-45063r684828_chk"><check-content-ref href="Google_Chrome_Current_Windows_STIG.xml" name="M" /><check-content>Universal method:
+1. In the omnibox (address bar) type chrome://policy
+2. If DefaultWebBluetoothGuardSetting is not displayed under the Policy Name column or it is not set to 2 under the Policy Value column, then this is a finding.
+
+Windows method:
+ 1. Start regedit
+ 2. Navigate to HKLM\Software\Policies\Google\Chrome\
+ 3. If the DefaultWebBluetoothGuardSetting value name does not exist or its value data is not set to 2, then this is a finding.</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
From abf1546334f7d7043cdcac34f5cf1ee6796d6521 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 26 Jul 2021 18:26:57 +0200
Subject: [PATCH 09/10] Remove documentation on how to manually generate
stig_overlay.xml files.
---
.../04_updating_reference_and_overlay.md | 32 -------------------
1 file changed, 32 deletions(-)
delete mode 100644 docs/manual/developer/04_updating_reference_and_overlay.md
diff --git a/docs/manual/developer/04_updating_reference_and_overlay.md b/docs/manual/developer/04_updating_reference_and_overlay.md
deleted file mode 100644
index df16d8b7bae..00000000000
--- a/docs/manual/developer/04_updating_reference_and_overlay.md
+++ /dev/null
@@ -1,32 +0,0 @@
-# Updating Reference and Overlay Content
-
-## Reference Content
-
-### STIG Reference Content
-
-## STIG Overlay Content
-
-`stig_overlay.xml` maps an official product/version STIG release with a
-SSG product/version STIG release.
-
-**`stig_overlay.xml` should never be manually created or updated. It
-should always be generated using `create-stig-overlay.py`.**
-
-### Creating stig_overlay.xml
-
-To create `stig_overlay.xml`, there are two things that are required: an
-official non-draft STIG release from DISA containing a XCCDF file (e.g.
-`U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml` and an XCCDF
-file built by the project (e.g. `ssg-rhel7-xccdf.xml`)
-
-Example using `create-stig-overlay.py`:
-
- $ PYTHONPATH=`./.pyenv.sh` utils/create-stig-overlay.py --disa-xccdf=disa-stig-rhel7-v1r12-xccdf-manual.xml --ssg-xccdf=ssg-rhel7-xccdf.xml -o rhel7/overlays/stig_overlay.xml
-
-### Updating stig_overlay.xml
-
-To update `stig_overlay.xml`, use the `create-stig-overlay.py` script as
-mentioned above. Then, submit a pull request to replace the
-`stig_overlay.xml` file that is needing to be updated. Please note that
-as a part of this update rules that have been removed from the official
-STIG will be removed here as well.
From 58b06ff7b3c44f624ea40b70a23d565fdc80e213 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 27 Jul 2021 18:32:03 +0200
Subject: [PATCH 10/10] Fix STIG XSLT transformation to show important and
correct information.
---
shared/transforms/shared_xccdf-apply-overlay-stig.xslt | 7 ++++---
shared/transforms/shared_xccdf2table-stig.xslt | 2 ++
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt
index 89949b38550..945f709b956 100644
--- a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt
+++ b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt
@@ -21,7 +21,8 @@
<xsl:variable name="rules" select="//xccdf:Rule"/>
<xsl:for-each select="$overlays/xccdf:overlay"> <!-- make sure overlays file namespace is XCCDF (hack) -->
- <xsl:variable name="overlay_id" select="@ownerid"/>
+ <xsl:variable name="overlay_id" select="xccdf:VMSinfo/@VKey"/>
+ <xsl:variable name="overlay_version" select="@ownerid"/>
<xsl:variable name="overlay_rule" select="@ruleid"/>
<xsl:variable name="overlay_severity" select="@severity"/>
<xsl:variable name="overlay_ref" select="@disa"/>
@@ -29,11 +30,11 @@
<xsl:for-each select="$rules">
<xsl:if test="@id=$overlay_rule">
- <Group id="{$overlay_id}">
+ <Group id="V-{$overlay_id}">
<title>SRG-OS-ID</title>
<description></description>
<Rule id="{$overlay_rule}" severity="{$overlay_severity}" >
- <version><xsl:value-of select="$overlay_id"/></version>
+ <version><xsl:value-of select="$overlay_version"/></version>
<title><xsl:value-of select="$overlay_title"/></title>
<description><xsl:copy-of select="xccdf:rationale/node()" /></description>
<check system="C-{$overlay_id}_chk">
diff --git a/shared/transforms/shared_xccdf2table-stig.xslt b/shared/transforms/shared_xccdf2table-stig.xslt
index 9b38fb4906f..3746c386c0d 100644
--- a/shared/transforms/shared_xccdf2table-stig.xslt
+++ b/shared/transforms/shared_xccdf2table-stig.xslt
@@ -53,6 +53,7 @@
<td>Check Procedures</td>
<td>Fixtext</td>
<td>Version</td>
+ <td>Mapped Rule</td>
<xsl:if test='$notes'>
<td>Notes</td>
</xsl:if>
@@ -89,6 +90,7 @@
<td> <xsl:apply-templates select="cdf:Rule/cdf:check/cdf:check-content/node()"/> </td>
<td> <xsl:apply-templates select="cdf:Rule/cdf:fixtext/node()"/> </td>
<td> <xsl:apply-templates select="cdf:Rule/cdf:version/node()"/> </td>
+ <td> <xsl:value-of select="cdf:Rule/@id"/> </td>
<xsl:if test='$notes'>
<td> <table><xsl:call-template name="print-notes"><xsl:with-param name="vulnid" select="@id"/></xsl:call-template> </table> </td>
</xsl:if>
Reference in New Issue View Git Blame Copy Permalink