diff --git a/linux_os/guide/services/mail/package_mailx_installed/rule.yml b/linux_os/guide/services/mail/package_mailx_installed/rule.yml index 7f7f1ab7394..fcdc7f07bbf 100644 --- a/linux_os/guide/services/mail/package_mailx_installed/rule.yml +++ b/linux_os/guide/services/mail/package_mailx_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,sle12,sle15 +prodtype: ol7,ol8,rhel7,rhel8,sle12,sle15 title: 'The mailx Package Is Installed' @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel7: CCE-86611-1 + cce@rhel8: CCE-87036-0 cce@sle12: CCE-92331-8 cce@sle15: CCE-92519-8 @@ -26,6 +27,7 @@ references: stigid@ol7: OL07-00-020028 stigid@ol8: OL08-00-010358 stigid@rhel7: RHEL-07-020028 + stigid@rhel8: RHEL-08-010358 stigid@sle12: SLES-12-010498 stigid@sle15: SLES-15-010418 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml index 437f652adda..36cf56b4096 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml @@ -43,6 +43,7 @@ references: nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6 srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002 stigid@ol8: OL08-00-020270 + stigid@rhel7: RHEL-07-010271 stigid@rhel8: RHEL-08-020270 ocil_clause: 'any emergency accounts have no expiration date set or do not expire within 72 hours' diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml index 607c25032b9..5ecaae27c5e 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml @@ -59,6 +59,7 @@ references: pcidss: Req-6.2 srg: SRG-OS-000366-GPOS-00153 stigid@rhel7: RHEL-07-010019 + stigid@rhel8: RHEL-08-010019 ocil_clause: 'the Red Hat GPG Key is not installed' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index d77fb657f29..e9b573d92c4 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R9 + version: V1R10 SMEs: - mab879 - ggbecker @@ -96,6 +96,9 @@ selections: # RHEL-08-010010 - security_patches_up_to_date + # RHEL-08-010019 + - ensure_redhat_gpgkey_installed + # RHEL-08-010020 - sysctl_crypto_fips_enabled @@ -250,6 +253,9 @@ selections: # RHEL-08-010351 - dir_group_ownership_library_dirs + # RHEL-08-010358 + - package_mailx_installed + # RHEL-08-010359 - package_aide_installed - aide_build_database @@ -634,7 +640,7 @@ selections: - account_disable_post_pw_expiration # RHEL-08-020270 - - account_emergency_expire_date + - account_temp_expire_date # RHEL-08-020280 - accounts_password_pam_ocredit diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index 210fe03455a..f6f25d28904 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R9 + version: V1R10 SMEs: - mab879 - ggbecker diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 8fd779c32de..ef6afd3fbeb 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -635,7 +635,6 @@ CCE-87028-7 CCE-87029-5 CCE-87030-3 CCE-87031-1 -CCE-87036-0 CCE-87037-8 CCE-87038-6 CCE-87039-4 diff --git a/shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r10-xccdf-manual.xml similarity index 87% rename from shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml rename to shared/references/disa-stig-rhel8-v1r10-xccdf-manual.xml index 4d298231743..752d11c7d4c 100644 --- a/shared/references/disa-stig-rhel8-v1r9-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel8-v1r10-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 26 Jan 20233.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 10 Benchmark Date: 27 Apr 20233.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. Note: The life-cycle time spans and dates are subject to adjustment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. @@ -777,7 +777,7 @@ $ sudo chgrp root [FILE]SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-08-010360The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-08-010360The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. @@ -787,7 +787,7 @@ This capability must take into account operational requirements for availability RHEL 8 comes with many optional software packages. A file integrity tool called Advanced Intrusion Detection Environment (AIDE) is one of those optional packages. This requirement assumes the use of AIDE; however, a different tool may be used if the requirements are met. Note that AIDE does not have a configuration that will send a notification, so a cron job is recommended that uses the mail application on the system to email the results of the file integrity check. -Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001744Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. +Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001744Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. @@ -795,7 +795,9 @@ The following example output is generic. It will set cron to run AIDE daily and #!/bin/bash - /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered. + /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil + +Note: Per requirement RHEL-08-010358, the "mailx" package must be installed on the system to enable email functionality.Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered. Check that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence. @@ -813,7 +815,7 @@ Check the cron directories for scripts controlling the execution and notificatio $ sudo more /etc/cron.daily/aide #!/bin/bash - /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil + /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010370RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -1455,21 +1457,21 @@ $ sudo grep -ir KerberosAuthentication /etc/ssh/sshd_config* KerberosAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010540RHEL 8 must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system/partition has been created for "/var". +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010540RHEL 8 must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system has been created for "/var". -Check that a file system/partition has been created for "/var" with the following command: +Check that a file system has been created for "/var" with the following command: -$ sudo grep /var /etc/fstab + $ sudo grep /var /etc/fstab -UUID=c274f65f /var xfs noatime,nobarrier 1 2 + /dev/mapper/... /var xfs defaults,nodev 0 0 -If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010541RHEL 8 must use a separate file system for /var/log.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var/log" path onto a separate file system.Verify that a separate file system/partition has been created for "/var/log". +If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010541RHEL 8 must use a separate file system for /var/log.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var/log" path onto a separate file system.Verify that a separate file system has been created for "/var/log". -Check that a file system/partition has been created for "/var/log" with the following command: +Check that a file system has been created for "/var/log" with the following command: -$ sudo grep /var/log /etc/fstab + $ sudo grep /var/log /etc/fstab -UUID=c274f65f /var/log xfs noatime,nobarrier 1 2 + /dev/mapper/... /var/log xfs defaults,nodev,noexec,nosuid 0 0 If a separate entry for "/var/log" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010542RHEL 8 must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the system audit data path onto a separate file system.Verify that a separate file system/partition has been created for the system audit data path with the following command: @@ -1892,27 +1894,27 @@ $ sudo find / -fstype xfs -nogroup If any files on the system do not have an assigned group, this is a finding. -Note: Command may produce error messages from the /proc and /sys directories.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010800A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/home" directory onto a separate file system/partition.Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. +Note: Command may produce error messages from the /proc and /sys directories.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010800A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/home" directory onto a separate file system.Verify that a separate file system has been created for non-privileged local interactive user home directories. Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command: -$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd + $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd -adamsj 1001 /home/adamsj -jacksonm 1002 /home/jacksonm -smithj 1003 /home/smithj + doej 1001 /home/doej + publicj 1002 /home/publicj + smithj 1003 /home/smithj The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, "/home") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. -Check that a file system/partition has been created for the non-privileged interactive users with the following command: +Check that a file system/partition has been created for the nonprivileged interactive users with the following command: Note: The partition of "/home" is used in the example. -$ sudo grep /home /etc/fstab + $ sudo grep /home /etc/fstab -UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 + /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0 -If a separate entry for the file system/partition containing the non-privileged interactive user home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-08-010820Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. +If a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-08-010820Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": @@ -2387,7 +2389,7 @@ true If the setting is "false", this is a finding. -Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020040RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020040RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. @@ -2402,9 +2404,9 @@ Create a global configuration file "/etc/tmux.conf" and add the following lines: Reload tmux configuration to take effect. This can be performed in tmux while it is running: - $ tmux source-file /etc/tmux.confVerify the operating system enables the user to manually initiate a session lock with the following command: + $ tmux source-file /etc/tmux.confVerify the operating system enables the user to manually initiate a session lock with the following command: - $ sudo grep -Ei lock-command|lock-session /etc/tmux.conf + $ sudo grep -Ei 'lock-command|lock-session' /etc/tmux.conf set -g lock-command vlock bind X lock-session @@ -2589,23 +2591,23 @@ matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test -If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020100RHEL 8 must ensure the password complexity module is enabled in the password-auth file.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. +If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020100RHEL 8 must ensure the password complexity module is enabled in the password-auth file.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): -password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. + password requisite pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" in the password-auth file with the following command: -$ sudo cat /etc/pam.d/password-auth | grep pam_pwquality + $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality -password required pam_pwquality.so + password requisite pam_pwquality.so -If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return a line containing the value "pam_pwquality.so" as shown, or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2758,23 +2760,23 @@ $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow $ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020220RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020220RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth. -Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations. +Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value): -password required pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations. + password requisite pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/password-auth" with the following command: -$ sudo grep -i remember /etc/pam.d/password-auth + $ sudo grep -i remember /etc/pam.d/password-auth -password required pam_pwhistory.so use_authtok remember=5 retry=3 + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -2880,22 +2882,20 @@ $ sudo grep -i inactive /etc/default/useradd INACTIVE=35 -If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>RHEL-08-020270RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - -Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. - -To address access requirements, many RHEL 8 systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001682If an emergency account must be created, configure the system to terminate the account after 72 hours with the following command to set an expiration date for the account. Substitute "system_account_name" with the account to be created. - -$ sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name +If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>RHEL-08-020270RHEL 8 must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + +The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001682Configure the operating system to expire temporary accounts after 72 hours with the following command: -The automatic expiration or disabling time period may be extended as needed until the crisis is resolved.Verify emergency accounts have been provisioned with an expiration date of 72 hours. + $ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>Verify temporary accounts have been provisioned with an expiration date of 72 hours. -For every existing emergency account, run the following command to obtain its account expiration information. +For every existing temporary account, run the following command to obtain its account expiration information: -$ sudo chage -l system_account_name + $ sudo chage -l <temporary_account_name> | grep -i "account expires" Verify each of these accounts has an expiration date set within 72 hours. -If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -3222,13 +3222,13 @@ $ sudo grep "log_format" /etc/audit/auditd.conf log_format = ENRICHED -If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-08-030070RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. +If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-08-030070RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000162Configure the audit log to be protected from unauthorized read access by configuring the log group in the /etc/audit/auditd.conf file: - -log_group = rootVerify the audit logs have a mode of "0600" or less permissive. +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000162Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: + +$ sudo chmod 0600 /var/log/audit/audit.logVerify the audit logs have a mode of "0600" or less permissive. First, determine where the audit logs are stored with the following command: @@ -5420,15 +5420,15 @@ $ sudo usbguard list-rules If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>RHEL-08-040150A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>RHEL-08-040150A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of RHEL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. -Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002385Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": +Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002385Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf": FirewallBackend=nftables -Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: +Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: Verify "firewalld" has "nftables" set as the default backend: @@ -6588,13 +6588,13 @@ $ sudo grep -ir GSSAPIAuthentication /etc/ssh/sshd_config* GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010544RHEL 8 must use a separate file system for /var/tmp.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var/tmp" path onto a separate file system.Verify that a separate file system/partition has been created for "/var/tmp". +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010544RHEL 8 must use a separate file system for /var/tmp.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Migrate the "/var/tmp" path onto a separate file system.Verify that a separate file system has been created for "/var/tmp". -Check that a file system/partition has been created for "/var/tmp" with the following command: +Check that a file system has been created for "/var/tmp" with the following command: -$ sudo grep /var/tmp /etc/fstab + $ sudo grep /var/tmp /etc/fstab -UUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2 + /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0 If a separate entry for "/var/tmp" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010572RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.For systems that use BIOS, this is Not Applicable. @@ -7434,61 +7434,61 @@ Check the configuration of the "/etc/pam.d/sudo" file with the following command $ sudo grep pam_succeed_if /etc/pam.d/sudo -If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020101RHEL 8 must ensure the password complexity module is enabled in the system-auth file.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - -RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. - -Add the following line to the "/etc/pam.d/system-auth" file(or modify the line to have the required value): - -password required pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. - -Check for the use of "pwquality" in the system-auth file with the following command: - -$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality - -password required pam_pwquality.so - -If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020102RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - -RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth - -By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. - -Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): - -password required pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. - -Verify the operating system is configured to limit the "pwquality" retry option to 3. - -Check for the use of the "pwquality" retry option in the system-auth file with the following command: - -$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality - -password required pam_pwquality.so retry=3 - -If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020103RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - -RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth - -By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. - -Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): - -password required pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. +If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020101RHEL 8 must ensure the password complexity module is enabled in the system-auth file.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. + +Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): + + password requisite pam_pwquality.soVerify the operating system uses "pwquality" to enforce the password complexity rules. + +Check for the use of "pwquality" in the system-auth file with the following command: + + $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality + + password requisite pam_pwquality.so + +If the command does not return a line containing the value "pam_pwquality.so" as shown, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020102RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. + +Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): + + password requisite pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. + +Verify the operating system is configured to limit the "pwquality" retry option to 3. + +Check for the use of the "pwquality" retry option in the system-auth file with the following command: + + $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality + + password requisite pam_pwquality.so retry=3 + +If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020103RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to limit the "pwquality" retry option to 3. + +Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): + + password requisite pam_pwquality.so retry=3Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the password-auth file with the following command: -$ sudo cat /etc/pam.d/password-auth | grep pam_pwquality + $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality -password required pam_pwquality.so retry=3 + password requisite pam_pwquality.so retry=3 If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. @@ -7519,23 +7519,23 @@ Check for the use of the "pwquality" retry option in the system-auth and passwor $ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry -If the command returns any results, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020221RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. +If the command returns any results, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-08-020221RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth. -Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations. +Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000200Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value): -password required pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations. + password requisite pam_pwhistory.so use_authtok remember=5 retry=3Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" with the following command: -$ sudo grep -i remember /etc/pam.d/system-auth + $ sudo grep -i remember /etc/pam.d/system-auth -password required pam_pwhistory.so use_authtok remember=5 retry=3 + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040321The graphical display manager must not be the default target on RHEL 8 unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: @@ -7605,4 +7605,63 @@ A reboot is required for the changes to take effect. \ No newline at end of file +If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in different order than shown, are missing, or commented out, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010019RHEL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. + +Insert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system. + +Assuming the mounted location is "/media/cdrom", use the following command to copy Red Hat GPG key file onto the system: + + $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/ + +Import Red Hat GPG keys from key file into system keyring: + + $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + +Using the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values. + +Note: For RHEL 8 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key 2". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default. + +List Red Hat GPG keys installed on the system: + + $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat" + + gpg(Red Hat, Inc. (release key 2) <security@redhat.com>) + gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>) + +If Red Hat GPG keys "release key 2" and "auxiliary key 2" are not installed, this is a finding. + +Note: The "auxiliary key 2" appears as "auxiliary key" on a RHEL 8 system. + +List key fingerprints of installed Red Hat GPG keys: + + $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + +If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding. + +Example output: + + pub rsa4096/FD431D51 2009-10-22 [SC] + Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 + uid Red Hat, Inc. (release key 2) <security@redhat.com> + pub rsa4096/D4082792 2018-06-27 [SC] + Key fingerprint = 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792 + uid Red Hat, Inc. (auxiliary key) <security@redhat.com> + sub rsa4096/1B5584D3 2018-06-27 [E] + +Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key. + +If key fingerprints do not match, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-08-010358RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001744Install the "mailx" package on the system: + + $ sudo yum install mailxVerify that the operating system is configured to allow sending email notifications. + +Note: The "mailx" package provides the "mail" command that is used to send email messages. + +Verify that the "mailx" package is installed on the system: + + $ sudo yum list installed mailx + + mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm + +If "mailx" package is not installed, this is a finding. \ No newline at end of file diff --git a/shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r9-xccdf-scap.xml similarity index 96% rename from shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml rename to shared/references/disa-stig-rhel8-v1r9-xccdf-scap.xml index 92f67b35229..eef684462b1 100644 --- a/shared/references/disa-stig-rhel8-v1r8-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel8-v1r9-xccdf-scap.xml @@ -1,38 +1,38 @@ - - + + - + - + - + - + - - + + - + Red Hat Enterprise Linux 8 - oval:mil.disa.stig.rhel8:def:1 + oval:mil.disa.stig.rhel8:def:1 - + - accepted + accepted Red Hat Enterprise Linux 8 STIG SCAP Benchmark - This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. @@ -40,11 +40,19 @@ DISA STIG.DOD.MIL - Release: 1.8 Benchmark Date: 26 Jan 2023 + Release: 1.9 Benchmark Date: 27 Apr 2023 3.4.0.34222 1.10.0 + + + RHEL 8.3 or Lower + + + + + - 001.008 + 001.009 DISA DISA @@ -284,6 +292,7 @@ + I - Mission Critical Public @@ -518,6 +527,7 @@ + I - Mission Critical Sensitive @@ -752,6 +762,7 @@ + II - Mission Support Classified @@ -986,6 +997,7 @@ + II - Mission Support Public @@ -1220,6 +1232,7 @@ + II - Mission Support Sensitive @@ -1454,6 +1467,7 @@ + III - Administrative Classified @@ -1688,6 +1702,7 @@ + III - Administrative Public @@ -1922,6 +1937,7 @@ + III - Administrative Sensitive @@ -2156,6 +2172,7 @@ + CAT I Only @@ -2196,8 +2213,8 @@ - - + + @@ -2226,10 +2243,10 @@ - + - + @@ -2241,7 +2258,7 @@ - + @@ -2257,7 +2274,7 @@ - + @@ -2372,6 +2389,7 @@ + SRG-OS-000480-GPOS-00227 @@ -2394,7 +2412,7 @@ Note: The life-cycle time spans and dates are subject to adjustment.</VulnDis Upgrade to a supported version of RHEL 8. - + @@ -2430,7 +2448,7 @@ $ sudo fips-mode-setup --enable Reboot the system for the changes to take effect. - + @@ -2460,7 +2478,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M ENCRYPT_METHOD SHA512 - + @@ -2484,7 +2502,7 @@ Passwords need to be protected at all times, and encryption is the standard meth Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - + @@ -2512,7 +2530,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ SHA_CRYPT_MIN_ROUNDS 5000 - + @@ -2540,7 +2558,7 @@ Enter password: Confirm password: - + @@ -2568,7 +2586,7 @@ Enter password: Confirm password: - + @@ -2592,7 +2610,7 @@ Confirm password: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - + @@ -2622,7 +2640,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include password sufficient pam_unix.so sha512 - + @@ -2652,7 +2670,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access Remove any files with the .keytab extension from the operating system. - + @@ -2682,7 +2700,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-workstation - + @@ -2708,7 +2726,7 @@ Policycoreutils contains the policy core utilities that are required for basic o $ sudo yum install policycoreutils - + @@ -2744,7 +2762,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service - + @@ -2770,7 +2788,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0640 /var/log/messages - + @@ -2796,7 +2814,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log/messages - + @@ -2822,7 +2840,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log/messages - + @@ -2848,7 +2866,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0755 /var/log - + @@ -2874,7 +2892,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log - + @@ -2900,7 +2918,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log - + @@ -2930,7 +2948,7 @@ SSH_USE_STRONG_RNG=32 The SSH service must be restarted for changes to take effect. - + @@ -2968,7 +2986,7 @@ DTLS.MinProtocol = DTLSv1.2 A reboot is required for the changes to take effect. - + @@ -2996,7 +3014,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod $ sudo chmod 755 [FILE] - + @@ -3024,7 +3042,7 @@ Run the following command, replacing "[FILE]" with any system command file not o $ sudo chown root [FILE] - + @@ -3052,7 +3070,7 @@ Run the following command, replacing "[FILE]" with any system command file not g $ sudo chgrp root [FILE] - + @@ -3080,7 +3098,7 @@ Verifying the authenticity of the software prior to installation validates the i gpgcheck=1 - + @@ -3110,7 +3128,7 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: localpkg_gpgcheck=True - + @@ -3158,7 +3176,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3210,7 +3228,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3262,7 +3280,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3314,7 +3332,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3366,7 +3384,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -3392,7 +3410,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + @@ -3418,7 +3436,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + @@ -3450,7 +3468,7 @@ This requirement only applies to components where this is specific to the functi $ sudo yum install openssl-pkcs11 - + @@ -3498,7 +3516,7 @@ Issue the following command to make the changes take effect: $ sudo sysctl --system - + @@ -3524,7 +3542,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con clean_requirements_on_remove=True - + @@ -3554,7 +3572,7 @@ SELINUXTYPE=targeted A reboot is required for the changes to take effect. - + @@ -3578,7 +3596,7 @@ A reboot is required for the changes to take effect. $ sudo rm /etc/ssh/shosts.equiv - + @@ -3602,7 +3620,7 @@ $ sudo rm /etc/ssh/shosts.equiv $ sudo rm /[path]/[to]/[file]/.shosts - + @@ -3630,7 +3648,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3658,7 +3676,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3686,7 +3704,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3716,7 +3734,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3746,14 +3764,14 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010540 RHEL 8 must use a separate file system for /var. <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3768,14 +3786,14 @@ $ sudo systemctl restart sshd.service Migrate the "/var" path onto a separate file system. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010541 RHEL 8 must use a separate file system for /var/log. <VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3790,7 +3808,7 @@ $ sudo systemctl restart sshd.service Migrate the "/var/log" path onto a separate file system. - + @@ -3812,7 +3830,7 @@ $ sudo systemctl restart sshd.service Migrate the system audit data path onto a separate file system. - + @@ -3834,7 +3852,7 @@ $ sudo systemctl restart sshd.service Migrate the "/tmp" directory onto a separate file system/partition. - + @@ -3864,7 +3882,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3892,7 +3910,7 @@ $ sudo systemctl start rsyslog.service $ sudo systemctl enable rsyslog.service - + @@ -3914,7 +3932,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - + @@ -3936,7 +3954,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - + @@ -3958,7 +3976,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - + @@ -3980,7 +3998,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - + @@ -4002,7 +4020,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - + @@ -4048,7 +4066,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -4076,7 +4094,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard core 0 - + @@ -4104,7 +4122,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: Storage=none - + @@ -4132,7 +4150,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0 - + @@ -4156,7 +4174,7 @@ ProcessSizeMax=0 CREATE_HOME yes - + @@ -4186,7 +4204,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4224,7 +4242,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4256,7 +4274,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: deny = 3 - + @@ -4294,7 +4312,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4326,7 +4344,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: fail_interval = 900 - + @@ -4364,7 +4382,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4396,7 +4414,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: unlock_time = 0 - + @@ -4434,7 +4452,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4466,7 +4484,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: silent - + @@ -4506,7 +4524,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4538,7 +4556,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: audit - + @@ -4578,7 +4596,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4610,7 +4628,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: even_deny_root - + @@ -4638,14 +4656,14 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard maxlogins 10 - + SRG-OS-000028-GPOS-00009 <GroupDescription></GroupDescription> - + RHEL-08-020040 RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -4675,7 +4693,7 @@ Reload tmux configuration to take effect. This can be performed in tmux while it $ tmux source-file /etc/tmux.conf - + @@ -4711,7 +4729,7 @@ fi This setting will take effect at next logon. - + @@ -4739,14 +4757,14 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. - + SRG-OS-000069-GPOS-00037 <GroupDescription></GroupDescription> - + RHEL-08-020100 RHEL 8 must ensure the password complexity module is enabled in the password-auth file. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. @@ -4762,14 +4780,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This 2921 CCI-000366 - Configure the operating system to use "pwquality" to enforce password complexity rules. + Configure the operating system to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): -password required pam_pwquality.so - + password requisite pam_pwquality.so + - + @@ -4801,7 +4819,7 @@ ucredit = -1 Remove any configurations that conflict with the above value. - + @@ -4833,7 +4851,7 @@ lcredit = -1 Remove any configurations that conflict with the above value. - + @@ -4865,7 +4883,7 @@ dcredit = -1 Remove any configurations that conflict with the above value. - + @@ -4897,7 +4915,7 @@ maxclassrepeat = 4 Remove any configurations that conflict with the above value. - + @@ -4929,7 +4947,7 @@ maxrepeat = 3 Remove any configurations that conflict with the above value. - + @@ -4961,7 +4979,7 @@ minclass = 4 Remove any configurations that conflict with the above value. - + @@ -4993,7 +5011,7 @@ difok = 8 Remove any configurations that conflict with the above value. - + @@ -5017,7 +5035,7 @@ Remove any configurations that conflict with the above value. $ sudo chage -m 1 [user] - + @@ -5043,7 +5061,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1 - + @@ -5069,7 +5087,7 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60 - + @@ -5093,14 +5111,14 @@ PASS_MAX_DAYS 60 $ sudo chage -M 60 [user] - + SRG-OS-000077-GPOS-00045 <GroupDescription></GroupDescription> - + RHEL-08-020220 RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. @@ -5118,14 +5136,14 @@ Note that manual changes to the listed files may be overwritten by the "authsele 2921 CCI-000200 - Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations. + Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value): -password required pam_pwhistory.so use_authtok remember=5 retry=3 - + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + - + @@ -5161,7 +5179,7 @@ minlen = 15 Remove any configurations that conflict with the above value. - + @@ -5191,7 +5209,7 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_LEN 15 - + @@ -5221,7 +5239,7 @@ $ sudo useradd -D -f 35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - + @@ -5253,7 +5271,7 @@ ocredit = -1 Remove any configurations that conflict with the above value. - + @@ -5281,7 +5299,7 @@ dictcheck=1 Remove any configurations that conflict with the above value. - + @@ -5309,7 +5327,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr FAIL_DELAY 4 - + @@ -5337,7 +5355,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -5365,7 +5383,7 @@ PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect. - + @@ -5391,7 +5409,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 UMASK 077 - + @@ -5425,7 +5443,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules The audit daemon must be restarted for the changes to take effect. - + @@ -5455,7 +5473,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator action_mail_acct = root - + @@ -5487,7 +5505,7 @@ disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - + @@ -5521,7 +5539,7 @@ disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - + @@ -5549,7 +5567,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: local_events = yes - + @@ -5581,7 +5599,7 @@ name_format = hostname The audit daemon must be restarted for changes to take effect. - + @@ -5611,14 +5629,14 @@ log_format = ENRICHED The audit daemon must be restarted for changes to take effect. - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - + RHEL-08-030070 RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -5634,12 +5652,12 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO 2921 CCI-000162 - Configure the audit log to be protected from unauthorized read access by configuring the log group in the /etc/audit/auditd.conf file: - -log_group = root - + Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: + +$ sudo chmod 0600 /var/log/audit/audit.log + - + @@ -5669,7 +5687,7 @@ $ sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - + @@ -5697,7 +5715,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO log_group = root - + @@ -5727,7 +5745,7 @@ $ sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + @@ -5757,7 +5775,7 @@ $ sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + @@ -5787,7 +5805,7 @@ $ sudo chmod 0700 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - + @@ -5819,7 +5837,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - + @@ -5849,7 +5867,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO --loginuid-immutable - + @@ -5881,7 +5899,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5913,7 +5931,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5945,7 +5963,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5977,7 +5995,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6009,7 +6027,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6041,7 +6059,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6073,7 +6091,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6105,7 +6123,7 @@ Install the audit service (if the audit service is not already installed) with t $ sudo yum install audit - + @@ -6137,7 +6155,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6182,7 +6200,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6214,7 +6232,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6246,7 +6264,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6278,7 +6296,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6310,7 +6328,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6342,7 +6360,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6374,7 +6392,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6407,7 +6425,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6439,7 +6457,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6471,7 +6489,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6503,7 +6521,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6535,7 +6553,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6567,7 +6585,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6599,7 +6617,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6631,7 +6649,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6663,7 +6681,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6695,7 +6713,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6727,7 +6745,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6759,7 +6777,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6791,7 +6809,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6826,7 +6844,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6866,7 +6884,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6898,7 +6916,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6931,7 +6949,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6963,7 +6981,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6995,7 +7013,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7038,7 +7056,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7077,7 +7095,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7115,7 +7133,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7147,7 +7165,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7179,7 +7197,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7211,7 +7229,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7253,7 +7271,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7295,7 +7313,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7321,7 +7339,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf - + @@ -7351,7 +7369,7 @@ $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - + @@ -7383,7 +7401,7 @@ $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root". - + @@ -7415,7 +7433,7 @@ $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root". - + @@ -7450,7 +7468,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog - + @@ -7485,7 +7503,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog-gnutls - + @@ -7517,7 +7535,7 @@ overflow_action = syslog The audit daemon must be restarted for changes to take effect. - + @@ -7543,7 +7561,7 @@ space_left = 25% Note: Option names and values in the auditd.conf file are case insensitive. - + @@ -7573,7 +7591,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc port 0 - + @@ -7603,7 +7621,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc cmdport 0 - + @@ -7637,7 +7655,7 @@ If a privileged user were to log on using this service, the privileged user pass $ sudo yum remove telnet-server - + @@ -7667,7 +7685,7 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove abrt* - + @@ -7697,7 +7715,7 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove sendmail - + @@ -7729,7 +7747,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion $ sudo yum remove rsh-server - + @@ -7762,7 +7780,7 @@ blacklist atm Reboot the system for the settings to take effect. - + @@ -7795,7 +7813,7 @@ blacklist can Reboot the system for the settings to take effect. - + @@ -7828,7 +7846,7 @@ blacklist sctp Reboot the system for the settings to take effect. - + @@ -7861,7 +7879,7 @@ blacklist tipc Reboot the system for the settings to take effect. - + @@ -7894,7 +7912,7 @@ blacklist cramfs Reboot the system for the settings to take effect. - + @@ -7925,7 +7943,7 @@ blacklist firewire-core Reboot the system for the settings to take effect. - + @@ -7956,7 +7974,7 @@ blacklist usb-storage Reboot the system for the settings to take effect. - + @@ -7996,7 +8014,7 @@ blacklist bluetooth Reboot the system for the settings to take effect. - + @@ -8026,7 +8044,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8054,7 +8072,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8084,7 +8102,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8114,7 +8132,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8142,7 +8160,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8172,7 +8190,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8202,7 +8220,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8232,7 +8250,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8262,7 +8280,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8292,7 +8310,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8322,7 +8340,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8352,7 +8370,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8382,7 +8400,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8412,7 +8430,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8442,7 +8460,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8472,7 +8490,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ sudo systemctl enable sshd.service - + @@ -8508,7 +8526,7 @@ Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service - + @@ -8536,7 +8554,7 @@ Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + @@ -8560,7 +8578,7 @@ $ sudo systemctl daemon-reload $ sudo yum remove tftp-server - + @@ -8584,7 +8602,7 @@ $ sudo yum remove tftp-server If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - + @@ -8630,7 +8648,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8678,7 +8696,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8725,7 +8743,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8771,7 +8789,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8817,7 +8835,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8863,7 +8881,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8911,7 +8929,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -8959,7 +8977,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -9007,7 +9025,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -9053,7 +9071,7 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + @@ -9097,7 +9115,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9141,7 +9159,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9185,7 +9203,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9231,7 +9249,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9275,7 +9293,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9299,7 +9317,7 @@ $ sudo sysctl --system $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - + @@ -9331,7 +9349,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd - + @@ -9357,7 +9375,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us X11UseLocalhost yes - + @@ -9381,7 +9399,7 @@ X11UseLocalhost yes server_args = -s /var/lib/tftpboot - + @@ -9405,7 +9423,7 @@ server_args = -s /var/lib/tftpboot $ sudo yum remove vsftpd - + @@ -9433,7 +9451,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose $ sudo yum remove gssproxy - + @@ -9461,7 +9479,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI $ sudo yum remove iprutils - + @@ -9489,7 +9507,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. $ sudo yum remove tuned - + @@ -9519,7 +9537,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-server - + @@ -9543,7 +9561,7 @@ ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL - + @@ -9573,7 +9591,7 @@ Remove any configurations that conflict with the above from the following locati /etc/sudoers.d/ - + @@ -9607,7 +9625,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files. - + @@ -9631,7 +9649,7 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + @@ -9655,7 +9673,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + @@ -9701,7 +9719,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9728,20 +9746,159 @@ Lock an account: $ sudo passwd -l [username] - + + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + RHEL-08-020102 + RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 8 + DISA + DPMS Target + Red Hat Enterprise Linux 8 + 2921 + + + CCI-000366 + Configure the operating system to limit the "pwquality" retry option to 3. + +Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): + + password requisite pam_pwquality.so retry=3 + + + - + repotool 5.10 - 2022-12-30T15:15:39 + 2023-03-28T17:41:02 + + + The operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. + + + + + + + + + The operating system system commands must have mode 755 or less permissive. + + + + + + + + + The operating system must use a separate file system for /var. + + + + + + + + + + The operating system must use a separate file system for /var/log. + + + + + + + + + + The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. + + + + + + + + + + The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. + + + + + + + + + + The operating system must ensure the password complexity module is enabled in the password-auth file. + + + + + + + + + The operating system must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. + + + + + + + + + The operating system audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. + + + + + + + + + Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. + + + + + + + + + The system is RHEL 8.3 or lower + + Red Hat Enterprise Linux 8 + + + + + + + The RHEL 8 version is RHEL 8.2 or newer. @@ -9975,23 +10132,6 @@ Policycoreutils contains the policy core utilities that are required for basic o - - - RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. - - Red Hat Enterprise Linux 8 - - Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. - -RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. - - - - - - RHEL-08-010210 - The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. @@ -10120,20 +10260,6 @@ RHEL 8 incorporates system-wide crypto policies by default. The employed algori - - - RHEL-08-010300 - RHEL 8 system commands must have mode 755 or less permissive. - - Red Hat Enterprise Linux 8 - - If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. - - - - - RHEL-08-010310 - RHEL 8 system commands must be owned by root. @@ -10508,32 +10634,6 @@ This requirement applies to operating systems performing security function verif - - - RHEL-08-010540 - RHEL 8 must use a separate file system for /var. - - Red Hat Enterprise Linux 8 - - The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - - - - - - - - - RHEL-08-010541 - RHEL 8 must use a separate file system for /var/log. - - Red Hat Enterprise Linux 8 - - The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. - - - - - - RHEL-08-010542 - RHEL 8 must use a separate file system for the system audit data path. @@ -10986,38 +11086,6 @@ From "faillock.conf" man pages: Note that the default directory that "pam_faillo - - - RHEL-08-020024 - RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. - - Red Hat Enterprise Linux 8 - - Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. - - - - - - - - - RHEL-08-020040 - RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. - - Red Hat Enterprise Linux 8 - - A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - -Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - - - - - - RHEL-08-020041 - RHEL 8 must ensure session control is automatically started at shell initialization. @@ -11051,22 +11119,6 @@ Tmux is a terminal multiplexer that enables a number of terminals to be created, - - - RHEL-08-020100 - RHEL 8 must ensure the password complexity module is enabled in the password-auth file. - - Red Hat Enterprise Linux 8 - - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - -RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth - - - - - RHEL-08-020110 - RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. @@ -11231,24 +11283,6 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - - RHEL-08-020220 - RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. - - Red Hat Enterprise Linux 8 - - Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. - -RHEL 8 utilizes "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both: -/etc/pam.d/password-auth -/etc/pam.d/system-auth. - -Note that manual changes to the listed files may be overwritten by the "authselect" program. - - - - - RHEL-08-020230 - RHEL 8 passwords must have a minimum of 15 characters. @@ -11492,20 +11526,6 @@ Enriched logging aids in making sense of who, what, and when events occur on a s - - - RHEL-08-030070 - RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. - - Red Hat Enterprise Linux 8 - - Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. - - - - - RHEL-08-030080 - RHEL 8 audit logs must be owned by root to prevent unauthorized read access. @@ -13798,70 +13818,271 @@ The sysctl --system command will load settings from all system configuration fil - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. + + Red Hat Enterprise Linux 8 + + Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + +RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. + +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109 + + + + + + + + RHEL-08-010300 - RHEL 8 system commands must have mode 755 or less permissive. + + Red Hat Enterprise Linux 8 + + If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + + + + + + + + RHEL-08-010540 - RHEL 8 must use a separate file system for /var. + + Red Hat Enterprise Linux 8 + + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + + + + + + + + RHEL-08-010541 - RHEL 8 must use a separate file system for /var/log. + + Red Hat Enterprise Linux 8 + + The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. + + + + + + + + RHEL-08-020024 - RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. + + Red Hat Enterprise Linux 8 + + Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. + + + + + + + + RHEL-08-020040 - RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. + + Red Hat Enterprise Linux 8 + + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + +Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. + +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 + + + + + + + + RHEL-08-020100 - RHEL 8 must ensure the password complexity module is enabled in the password-auth file. + + Red Hat Enterprise Linux 8 + + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + + + + + + + + RHEL-08-020220 - RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. + + Red Hat Enterprise Linux 8 + + Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements. + +RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth. + +Note that manual changes to the listed files may be overwritten by the "authselect" program. + + + + + + + + RHEL-08-030070 - RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. + + Red Hat Enterprise Linux 8 + + Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 + + + + + + + + RHEL-08-020102 - RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. + + Red Hat Enterprise Linux 8 + + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + +RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: +/etc/pam.d/password-auth +/etc/pam.d/system-auth + +By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -13918,10 +14139,6 @@ The sysctl --system command will load settings from all system configuration fil - - - - @@ -13968,10 +14185,6 @@ The sysctl --system command will load settings from all system configuration fil - - - - @@ -14088,18 +14301,6 @@ The sysctl --system command will load settings from all system configuration fil - - - - - - - - - - - - @@ -14310,20 +14511,6 @@ The sysctl --system command will load settings from all system configuration fil - - - - - - - - - - - - - - @@ -14333,9 +14520,6 @@ The sysctl --system command will load settings from all system configuration fil - - - @@ -14397,10 +14581,6 @@ The sysctl --system command will load settings from all system configuration fil - - - - @@ -14479,10 +14659,6 @@ The sysctl --system command will load settings from all system configuration fil - - - - @@ -15311,8 +15487,104 @@ The sysctl --system command will load settings from all system configuration fil + + + + + + + + + + /etc/audit/auditd.conf + ^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$ + 1 + + + /etc/fstab + ^[^# \t]+\s+/var\s+ + 1 + + + /etc/fstab + ^[^# \t]+\s+/var/log\s+ + 1 + + + + oval:mil.disa.stig.ind:obj:23034601 + oval:mil.disa.stig.ind:obj:23034602 + + + + /etc/security/limits.conf + ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ + 1 + + + /etc/security/limits.d + .*\.conf$ + ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ + 1 + + + + oval:mil.disa.stig.ind:obj:23034604 + oval:mil.disa.stig.ind:obj:23034605 + + + + /etc/security/limits.conf + ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ + 1 + + + /etc/security/limits.d + .*\.conf$ + ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ + 1 + + + /etc/tmux.conf + ^\s*set\s+-g\s+lock-command\s+vlock\s*(?:#.*)?$ + 1 + + + /etc/tmux.conf + ^\s*bind\s+X\s+lock-session\s*(?:#.*)?$ + 1 + + + /etc/pam.d/password-auth + ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b + 1 + + + /etc/pam.d/password-auth + ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b + 1 + + + /etc/pam.d/system-auth + ^[ \t]*password[ \t]+(?:(?:required)|(?:requisite))[ \t]+pam_pwquality\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]+))retry=([0-9]+)(?:\s|$) + 1 + + + redhat-release + + + /var + + + /var/log + net.ipv6.conf.all.disable_ipv6 @@ -15441,11 +15713,6 @@ The sysctl --system command will load settings from all system configuration fil policycoreutils - - /etc/ssh/sshd_config - ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$ - 1 - /var/log/messages @@ -15689,22 +15956,9 @@ The sysctl --system command will load settings from all system configuration fil ^\s*(?i)KerberosAuthentication(?-i)\s+(\w+)\s*(?:|(?:#.*))?$ 1 - - /var - - - /etc/fstab - ^[^# \t]+\s+/var\s+ - 1 - /var/log - - /etc/fstab - ^[^# \t]+\s+/var/log\s+ - 1 - @@ -15970,50 +16224,6 @@ The sysctl --system command will load settings from all system configuration fil ^\s*even_deny_root\s*$ 1 - - - oval:mil.disa.stig.rhel8:obj:19201 - oval:mil.disa.stig.rhel8:obj:19202 - - - - /etc/security/limits.conf - ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - /etc/security/limits.d - .*.conf$ - ^\s*\*\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.rhel8:obj:19204 - oval:mil.disa.stig.rhel8:obj:19205 - - - - /etc/security/limits.conf - ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - /etc/security/limits.d - .*.conf$ - ^\s*[^#*\s]+\s+(?:(?:hard)|(?:-))\s+maxlogins\s+(\d+)\s*$ - 1 - - - /etc/tmux.conf - ^\s*set\s+-g\s+lock-command\s+vlock\s*(?:#.*)?$ - 1 - - - /etc/tmux.conf - ^\s*bind\s+X\s+lock-session\s*(?:#.*)?$ - 1 - /etc/profile.d \.sh$ @@ -16030,11 +16240,6 @@ The sysctl --system command will load settings from all system configuration fil tmux 1 - - /etc/pam.d/password-auth - ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b - 1 - /etc/security @@ -16196,11 +16401,6 @@ The sysctl --system command will load settings from all system configuration fil ^root:[^:]*:[^:]*:[^:]*:: 1 - - /etc/pam.d/password-auth - ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b - 1 - ^/etc/security/pwquality\.conf.*$ .* @@ -17563,8 +17763,36 @@ The sysctl --system command will load settings from all system configuration fil ^[^:]+::[^:]*:[^:]*: 1 + + + .* + + + + oval:mil.disa.stig.unix:obj:20000008 + oval:mil.disa.stig.unix:ste:20000002 + + + + + + + 1 + + + ^[123]$ + + + 10 + + + 5 + + + 8\.[0-3] + 2 @@ -17626,9 +17854,6 @@ The sysctl --system command will load settings from all system configuration fil 1.17 - - 1 - false false @@ -17671,10 +17896,6 @@ The sysctl --system command will load settings from all system configuration fil symbolic link - - false - false - 1000 @@ -17826,9 +18047,6 @@ The sysctl --system command will load settings from all system configuration fil 2 - - 10 - 0 @@ -17871,9 +18089,6 @@ The sysctl --system command will load settings from all system configuration fil ^nobody - - 5 - 15 @@ -17922,18 +18137,6 @@ The sysctl --system command will load settings from all system configuration fil (?i)^enriched$ - - false - false - false - false - false - false - false - false - false - false - 0 @@ -18092,8 +18295,38 @@ The sysctl --system command will load settings from all system configuration fil 0 + + symbolic link + + + false + false + + + false + false + false + false + false + false + false + false + false + false + + + /bin + /sbin + /usr/bin + /usr/sbin + /usr/local/bin + /usr/local/sbin + + + + /bin /sbin @@ -18182,12 +18415,12 @@ The sysctl --system command will load settings from all system configuration fil - + repotool 5.10 - 2022-12-30T15:15:39 + 2023-03-28T17:41:02 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index d0ee8502dc3..e44d28b7045 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -22,14 +22,13 @@ description: 'This profile contains configuration checks that align to the - Red Hat Containers with a Red Hat Enterprise Linux 8 image' extends: null metadata: - version: V1R9 + version: V1R10 SMEs: - mab879 - ggbecker reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux selections: - account_disable_post_pw_expiration -- account_emergency_expire_date - account_password_selinux_faillock_dir - account_temp_expire_date - account_unique_id @@ -315,6 +314,7 @@ selections: - package_krb5-workstation_removed - package_libreport-plugin-logger_removed - package_libreport-plugin-rhtsupport_removed +- package_mailx_installed - package_mcafeetp_installed - package_opensc_installed - package_openssh-server_installed diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 42a0e194dd2..67492fdc6a3 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -33,14 +33,13 @@ description: 'This profile contains configuration checks that align to the standard DISA STIG for Red Hat Enterprise Linux 8 profile.' extends: null metadata: - version: V1R9 + version: V1R10 SMEs: - mab879 - ggbecker reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux selections: - account_disable_post_pw_expiration -- account_emergency_expire_date - account_password_selinux_faillock_dir - account_temp_expire_date - account_unique_id @@ -325,6 +324,7 @@ selections: - package_krb5-server_removed - package_krb5-workstation_removed - package_libreport-plugin-logger_removed +- package_mailx_installed - package_mcafeetp_installed - package_opensc_installed - package_openssh-server_installed