From f3b373fb208985b14f91c8f3c347022bd7ce2e4e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Jan 2023 14:02:17 +0100 Subject: [PATCH 1/3] Update DISA RHEL7 STIG manual benchmark to V3R10 --- ...=> disa-stig-rhel7-v3r10-xccdf-manual.xml} | 936 ++++++++++-------- 1 file changed, 531 insertions(+), 405 deletions(-) rename shared/references/{disa-stig-rhel7-v3r9-xccdf-manual.xml => disa-stig-rhel7-v3r10-xccdf-manual.xml} (80%) diff --git a/shared/references/disa-stig-rhel7-v3r9-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r10-xccdf-manual.xml similarity index 80% rename from shared/references/disa-stig-rhel7-v3r9-xccdf-manual.xml rename to shared/references/disa-stig-rhel7-v3r10-xccdf-manual.xml index ffcf35275ee..2ac417f0e02 100644 --- a/shared/references/disa-stig-rhel7-v3r9-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel7-v3r10-xccdf-manual.xml @@ -1,30 +1,30 @@ -acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 27 Oct 20223.4.0.342221.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. -Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: +Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: -# rpm -qf <filename> + # rpm -qf <filename> Reset the user and group ownership of files within a package with the following command: -# rpm --setugids <packagename> + # rpm --setugids <packagename> Reset the permissions of files within a package with the following command: -# rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. + # rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. Check the default file permissions, ownership, and group membership of system files and commands with the following command: -# for i in `rpm -Va | egrep '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done + # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done -/var/log/gdm 040755 root root -/etc/audisp/audisp-remote.conf 0100640 root root -/usr/bin/passwd 0104755 root root + /var/log/gdm 040755 root root + /etc/audisp/audisp-remote.conf 0100640 root root + /usr/bin/passwd 0104755 root root For each file returned, verify the current permissions, ownership, and group membership: -# ls -la <filename> + # ls -la <filename> --rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf + -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf If the file is more permissive than the default permissions, this is a finding. @@ -186,35 +186,35 @@ By using this IS (which includes any device attached to this IS), you consent to If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. -If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-07-010060The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-07-010060The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86515V-71891CCI-000056Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86515V-71891CCI-000056Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: -# Set this to true to lock the screen when the screensaver activates -lock-enabled=true + # Set this to true to lock the screen when the screensaver activates + lock-enabled=true Update the system databases: -# dconf update + # dconf update -Users must log out and back in again before the system-wide settings take effect. Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if the screen lock is enabled with the following command: -# grep -i lock-enabled /etc/dconf/db/local.d/* -lock-enabled=true + # grep -ir lock-enabled /etc/dconf/db/local.d/ | grep -v locks + lock-enabled=true If the "lock-enabled" setting is missing or is not set to "true", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-010061The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.<VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -250,179 +250,174 @@ Note: The example is using the database local for the system, so the path is "/e enable-smartcard-authentication=true -If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010070The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. +If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010070The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71893SV-86517CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71893SV-86517CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: -[org/gnome/desktop/session] -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 + [org/gnome/desktop/session] + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 You must include the "uint32" along with the integer key values as shown. Update the system databases: -# dconf update + # dconf update -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command: -# grep -i idle-delay /etc/dconf/db/local.d/* -idle-delay=uint32 900 + # grep -i idle-delay /etc/dconf/db/local.d/* + idle-delay=uint32 900 -If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010081The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. +If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010081The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73155SV-87807CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73155SV-87807CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock delay: -/org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local + # grep system-db /etc/dconf/profile/user + system-db:local Check for the lock delay setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i lock-delay /etc/dconf/db/local.d/locks/* + # grep -i lock-delay /etc/dconf/db/local.d/locks/* + /org/gnome/desktop/screensaver/lock-delay -/org/gnome/desktop/screensaver/lock-delay +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010082The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010082The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73157SV-87809CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73157SV-87809CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the session idle delay: -/org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local + # grep system-db /etc/dconf/profile/user + system-db:local Check for the session idle delay setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i idle-delay /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/session/idle-delay + # grep -i idle-delay /etc/dconf/db/local.d/locks/* + /org/gnome/desktop/session/idle-delay -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010100The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010100The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71899SV-86523CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71899SV-86523CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Add the setting to enable screensaver locking after 15 minutes of inactivity: -[org/gnome/desktop/screensaver] + [org/gnome/desktop/screensaver] -idle-activation-enabled=true + idle-activation-enabled=true Update the system databases: -# dconf update + # dconf update -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. -Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. +Note: If the system does not have a GNOME installed, this requirement is Not Applicable. Check for the session lock settings with the following commands: -# grep -i idle-activation-enabled /etc/dconf/db/local.d/* - -idle-activation-enabled=true + # grep -i idle-activation-enabled /etc/dconf/db/local.d/* + idle-activation-enabled=true -If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010101The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010101The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. -The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. +The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver idle-activation-enabled setting: -/org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user + # grep system-db /etc/dconf/profile/user -system-db:local + system-db:local Check for the idle-activation-enabled setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/* + # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/* -/org/gnome/desktop/screensaver/idle-activation-enabled + /org/gnome/desktop/screensaver/idle-activation-enabled -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010110The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010110The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71901SV-86525CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71901SV-86525CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Add the setting to enable session locking when a screensaver is activated: -[org/gnome/desktop/screensaver] -lock-delay=uint32 5 + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 The "uint32" must be included along with the integer key values as shown. Update the system databases: -# dconf update + # dconf update -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command: -# grep -i lock-delay /etc/dconf/db/local.d/* -lock-delay=uint32 5 + # grep -i lock-delay /etc/dconf/db/local.d/* + lock-delay=uint32 5 If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010118The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.<VulnDiscussion>Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95715V-81003CCI-000192Configure PAM to utilize /etc/pam.d/system-auth when changing passwords. @@ -556,25 +551,25 @@ Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.c $ sudo grep maxclassrepeat /etc/security/pwquality.conf maxclassrepeat = 4 -If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/system-auth": -pam_unix.so sha512 shadow try_first_pass use_authtok + pam_unix.so sha512 shadow try_first_pass use_authtok Add the following line in "/etc/pam.d/password-auth": -pam_unix.so sha512 shadow try_first_pass use_authtok + pam_unix.so sha512 shadow try_first_pass use_authtok -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command: -# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth + # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth Outcome should look like following: -/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok -/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok -If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010210The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71921SV-86545CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010210The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71921SV-86545CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs": @@ -585,7 +580,7 @@ Check that the system is configured to create SHA512 hashed passwords with the f # grep -i encrypt /etc/login.defs ENCRYPT_METHOD SHA512 -If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/libuser.conf" in the [defaults] section: @@ -634,19 +629,18 @@ If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, t # awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding. -SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-07-010270The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71933SV-86557CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. +SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-07-010270The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71933SV-86557CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the operating system prohibits password reuse for a minimum of five generations. +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system prohibits password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: -# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth - -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-07-010280The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -661,13 +655,13 @@ Check for the value of the "minlen" option in "/etc/security/pwquality.conf" wit # grep minlen /etc/security/pwquality.conf minlen = 15 -If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. +If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.To verify that null passwords cannot be used, run the following command: +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: -# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth + # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log on with accounts with empty passwords. @@ -696,24 +690,24 @@ Verify the operating system disables account identifiers (individuals, groups, r # grep -i inactive /etc/default/useradd INACTIVE=35 -If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. +If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. +Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: -# grep pam_faillock.so /etc/pam.d/password-auth + # grep pam_faillock.so /etc/pam.d/password-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. @@ -727,11 +721,11 @@ Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding. -# grep pam_faillock.so /etc/pam.d/system-auth + # grep pam_faillock.so /etc/pam.d/system-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. @@ -743,30 +737,32 @@ If the "unlock_time" parameter is not set to "0", "never", or is set to a value Note: The maximum configurable value for "unlock_time" is "604800". -If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. +If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71945SV-86569CCI-002238Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. +Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71945SV-86569CCI-002238Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so + +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. + # grep pam_faillock.so /etc/pam.d/password-auth -# grep pam_faillock.so /etc/pam.d/password-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. -# grep pam_faillock.so /etc/pam.d/system-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so + # grep pam_faillock.so /etc/pam.d/system-auth + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. @@ -821,7 +817,7 @@ Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with # grep -i fail_delay /etc/login.defs FAIL_DELAY 4 -If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010440The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71953SV-86577CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. +If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010440The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71953SV-86577CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -837,7 +833,7 @@ Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" # grep -i automaticloginenable /etc/gdm/custom.conf AutomaticLoginEnable=false -If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010450The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71955SV-86579CCI-000366Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. +If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010450The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71955SV-86579CCI-000366Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -853,7 +849,7 @@ Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf # grep -i timedloginenable /etc/gdm/custom.conf TimedLoginEnable=false -If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010460The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86581V-71957CCI-000366Configure the operating system to not allow users to override environment variables to the SSH daemon. +If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010460The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86581V-71957CCI-000366Configure the operating system to not allow users to override environment variables to the SSH daemon. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no": @@ -866,7 +862,7 @@ Check for the value of the "PermitUserEnvironment" keyword with the following co # grep -i permituserenvironment /etc/ssh/sshd_config PermitUserEnvironment no -If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010470The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86583V-71959CCI-000366Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. +If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010470The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86583V-71959CCI-000366Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no": @@ -976,7 +972,7 @@ Check to see if the "ypserve" package is installed with the following command: # yum list installed ypserv -If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86595V-71971CCI-002165CCI-002235Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. @@ -1016,71 +1012,59 @@ All authorized non-administrative users must be mapped to the "user_u" SELinux u If they are not mapped in this way, this is a finding. If administrator accounts are mapped to the "sysadm_u" SELinux user and are not documented as an operational requirement with the ISSO, this is a finding. -If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: -# more /etc/cron.daily/aide -#!/bin/bash + # more /etc/cron.daily/aide + #!/bin/bash -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system routinely checks the baseline configuration for unauthorized changes. + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system routinely checks the baseline configuration for unauthorized changes. Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week. -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the SA how file integrity checks are performed on the system. - Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence. Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: -# ls -al /etc/cron.* | grep aide --rwxr-xr-x 1 root root 29 Nov 22 2015 aide + # ls -al /etc/cron.* | grep aide + -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide -# grep aide /etc/crontab /var/spool/cron/root -/etc/crontab: 30 04 * * * root /usr/sbin/aide --check -/var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check + # grep aide /etc/crontab /var/spool/cron/root + /etc/crontab: 30 04 * * * root /usr/sbin/aide --check + /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check -If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. -# more /etc/cron.daily/aide + # more /etc/cron.daily/aide -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert. -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the SA how file integrity checks are performed on the system. - Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: + + # ls -al /etc/cron.* | grep aide + -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide -# ls -al /etc/cron.* | grep aide --rwxr-xr-x 1 root root 32 Jul 1 2011 aide - -# grep aide /etc/crontab /var/spool/cron/root -/etc/crontab: 30 04 * * * root /usr/sbin/aide --check -/var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check + # grep aide /etc/crontab /var/spool/cron/root + /etc/crontab: 30 04 * * * root /usr/sbin/aide --check + /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example: -# more /etc/cron.daily/aide -#!/bin/bash + # more /etc/cron.daily/aide + #!/bin/bash -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil -If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020050The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020050The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -1095,7 +1079,7 @@ gpgcheck=1 If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. -If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -1457,23 +1441,21 @@ Check the home directory assignment for all local interactive users on the syste -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj -If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: +If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. -# chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. + # chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. Check the home directory assignment for all local interactive users on the system with the following command: -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) - --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj + # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) + -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj Check the user's primary group with the following command: -# grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group - -users:x:250:smithj,jonesj,jacksons + # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group + users:x:250:smithj,marinc,chongt If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020660The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86647V-72023CCI-000366Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 7 with the "chown" command: @@ -1837,7 +1819,7 @@ If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in # grep -i /tmp /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0 -If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-021350The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. +If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-021350The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86691V-72067CCI-000068CCI-001199CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. @@ -1916,85 +1898,60 @@ Verify the file /etc/system-fips exists. # ls -l /etc/system-fips -If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. - -If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. +If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. -If there is no application installed to perform file integrity checks, this is a finding. +If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: -# find / -name aide.conf + # find / -name aide.conf Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "acl" rule is below: -All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin + All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin -If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. +If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. -If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. +If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: - -# find / -name aide.conf + # find / -name aide.conf Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "xattrs" rule follows: -All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin + All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin -If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. +If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. -If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. - -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. +If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: -# find / -name aide.conf + # find / -name aide.conf Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications. An example rule that includes the "sha512" rule follows: - -All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin + + All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. @@ -2047,47 +2004,46 @@ Check to see if auditing is active by issuing the following command: # systemctl is-active auditd.service active -If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>RHEL-07-030010The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. +If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>RHEL-07-030010The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. -Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72081SV-86705CCI-000139Configure the operating system to shut down in the event of an audit processing failure. +Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72081SV-86705CCI-000139Configure the operating system to shut down in the event of an audit processing failure. Add or correct the option to shut down the operating system with the following command: -# auditctl -f 2 + # auditctl -f 2 Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: --f 2 + -f 2 If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: -# auditctl -f 1 + # auditctl -f 1 Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: --f 1 + -f 1 Kernel log monitoring must also be configured to properly alert designated staff. -The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. +The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. Check to see what level "auditctl" is set to with following command: -# auditctl -s | grep -i "fail" - -failure 2 + # auditctl -s | grep -i "fail" + failure 2 -Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure. +Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured as per requirement RHEL-07-031000, the kernel log will be sent to a log aggregation server and generate an alert. If the "failure" setting is set to any value other than "1" or "2", this is a finding. If the "failure" setting is not set, this should be upgraded to a CAT I finding. -If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030201The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030201The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2114,7 +2070,7 @@ format = string If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030210The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030210The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2134,7 +2090,7 @@ overflow_action = syslog If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action that system takes when the internal queue is full. -If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030211The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030211The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2154,7 +2110,7 @@ name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030300The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030300The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2169,7 +2125,7 @@ remote_server = 10.0.21.1 If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. -If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2186,7 +2142,7 @@ enable_krb5 = yes If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. -If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. +If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72087SV-86711CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full. Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line: @@ -2200,7 +2156,7 @@ disk_full_action = single If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030321The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030321The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73163SV-87815CCI-001851Configure the action the operating system takes if there is an error sending audit records to a remote system. Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". @@ -2214,7 +2170,7 @@ network_failure_action = syslog If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size. space_left = 25% @@ -2230,7 +2186,7 @@ Determine what the threshold is for the system to take action when 75 percent of $ sudo grep -iw space_left /etc/audit/auditd.conf space_left = 25% -If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. +If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". @@ -2241,7 +2197,7 @@ Check what action the operating system takes when the threshold for the reposito # grep -i space_left_action /etc/audit/auditd.conf space_left_action = email -If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. +If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. @@ -3071,7 +3027,7 @@ $ModLoad imrelp If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation. -If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>RHEL-07-040000The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. +If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>RHEL-07-040000The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72217SV-86841CCI-000054Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. @@ -3108,7 +3064,7 @@ public (default, active) Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. -If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. +If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -3222,7 +3178,7 @@ By using this IS (which includes any device attached to this IS), you consent to If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. -If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040180The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040180The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72227SV-86851CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions. @@ -3254,7 +3210,7 @@ Ensure that LDAP is configured to use TLS by using the following command: # grep -i "start_tls" /etc/sssd/sssd.conf ldap_id_use_start_tls = true -If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040190The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040190The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72229SV-86853CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. @@ -3288,7 +3244,7 @@ ldap_tls_reqcert = demand If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding. -If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040200The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040200The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86855V-72231CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. @@ -3323,29 +3279,29 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate. -If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040201The Red Hat Enterprise Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-92521V-77825CCI-000366Configure the operating system implement virtual address space randomization. +If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040201The Red Hat Enterprise Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-92521V-77825CCI-000366Configure the operating system implement virtual address space randomization. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -kernel.randomize_va_space = 2 + kernel.randomize_va_space = 2 Issue the following command to make the changes take effect: -# sysctl --systemVerify the operating system implements virtual address space randomization. + # sysctl --systemVerify the operating system implements virtual address space randomization. -# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/* + # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + kernel.randomize_va_space = 2 -kernel.randomize_va_space = 2 - -If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "2", this is a finding. +If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or or in any of the other sysctl.d directories, is commented out or does not have a value of "2", this is a finding. Check that the operating system implements virtual address space randomization with the following command: -# /sbin/sysctl -a | grep kernel.randomize_va_space + # /sbin/sysctl -a | grep kernel.randomize_va_space + kernel.randomize_va_space = 2 -kernel.randomize_va_space = 2 +If "kernel.randomize_va_space" does not have a value of "2", this is a finding. -If "kernel.randomize_va_space" does not have a value of "2", this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -3486,7 +3442,7 @@ To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the IgnoreUserKnownHosts yes -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>RHEL-07-040390The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. +If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>RHEL-07-040390The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86875V-72251CCI-000197CCI-000366Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: @@ -3506,7 +3462,7 @@ Check that the SSH daemon is configured to only use the SSHv2 protocol with the Protocol 2 #Protocol 1,2 -If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. +If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86877V-72253CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -3537,19 +3493,19 @@ The following command will find all SSH public key files on the system: -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub -If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040420The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72257SV-86881CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command: +If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040420The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72257SV-86881CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: -# chmod 0600 /path/to/file/ssh_host*keyVerify the SSH private host key files have mode "0600" or less permissive. +# chmod 0640 /path/to/file/ssh_host*keyVerify the SSH private host key files have mode "0640" or less permissive. The following command will find all SSH private key files on the system and list their modes: -# find / -name '*ssh_host*key' | xargs ls -lL + # find / -name '*ssh_host*key' | xargs ls -lL --rw------- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key --rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key --rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key + -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key + -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key + -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key -If any file has a mode more permissive than "0600", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": +If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": GSSAPIAuthentication no @@ -3601,18 +3557,20 @@ Check that the SSH daemon performs privilege separation with the following comma UsePrivilegeSeparation sandbox -If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040470The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86891V-72267CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": +If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040470The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86891V-72267CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": + + Compression no -Compression no +The SSH service must be restarted for changes to take effect.Note: For RHEL 7.4 and above, this requirement is not applicable. -The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs compression after a user successfully authenticates. +Verify the SSH daemon performs compression after a user successfully authenticates. Check that the SSH daemon performs compression after a user successfully authenticates with the following command: -# grep -i compression /etc/ssh/sshd_config -Compression delayed + # grep -i compression /etc/ssh/sshd_config + Compression delayed -If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. +If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. @@ -3772,172 +3730,186 @@ Verify that the "/etc/resolv.conf" file is immutable with the following command: ----i----------- /etc/resolv.conf -If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl -systemVerify the system does not accept IPv4 source-routed packets. + # sysctl -systemVerify the system does not accept IPv4 source-routed packets. -# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.all.accept_source_route = 0 - -If " net.ipv4.conf.all.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route -net.ipv4.conf.all.accept_source_route = 0 + # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route + net.ipv4.conf.all.accept_source_route = 0 + +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system uses a reverse-path filter for IPv4: + # sysctl --systemVerify the system uses a reverse-path filter for IPv4: -# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/* -net.ipv4.conf.all.rp_filter = 1 + # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.all.rp_filter = 1 -If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. +If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter -net.ipv4.conf.all.rp_filter = 1 + # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter + net.ipv4.conf.all.rp_filter = 1 -If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the returned line does not have a value of "1", this is a finding. -net.ipv4.conf.default.rp_filter = 1 +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + + net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system uses a reverse-path filter for IPv4: + # sysctl --systemVerify the system uses a reverse-path filter for IPv4: -# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/* -net.ipv4.conf.default.rp_filter = 1 + # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.default.rp_filter = 1 -If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. +If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter -net.ipv4.conf.default.rp_filter = 1 + # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter + net.ipv4.conf.default.rp_filter = 1 + +If the returned line does not have a value of "1", this is a finding. -If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. + # sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. -# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* -net.ipv4.conf.default.accept_source_route = 0 + # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.default.accept_source_route = 0 -If " net.ipv4.conf.default.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route -net.ipv4.conf.default.accept_source_route = 0 + # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route + net.ipv4.conf.default.accept_source_route = 0 -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040630The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72287SV-86911CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the returned line does not have a value of "0", this is a finding. -net.ipv4.icmp_echo_ignore_broadcasts = 1 +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040630The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72287SV-86911CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + + net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. + # sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. -# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If " net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. +If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts -net.ipv4.icmp_echo_ignore_broadcasts = 1 + # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts + net.ipv4.icmp_echo_ignore_broadcasts = 1 + +If the returned line does not have a value of "1", this is a finding. -If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages. + # sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages. -# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If " net.ipv4.conf.default.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the value of the "accept_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects' -net.ipv4.conf.default.accept_redirects = 0 + # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects + net.ipv4.conf.default.accept_redirects = 0 -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the returned line does not have a value of "0", this is a finding. -net.ipv4.conf.all.accept_redirects = 0 +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + + net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system ignores IPv4 ICMP redirect messages. + # sysctl --systemVerify the system ignores IPv4 ICMP redirect messages. -# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If " net.ipv4.conf.all.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the "accept_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects' + # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects + net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.all.accept_redirects = 0 +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default. + # sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default. -# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. +If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. Check that the operating system implements the "default send_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects' + # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects + net.ipv4.conf.default.send_redirects = 0 -net.ipv4.conf.default.send_redirects = 0 +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not send IPv4 ICMP redirect messages. + # sysctl --systemVerify the system does not send IPv4 ICMP redirect messages. -# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. +If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. Check that the operating system implements the "all send_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects' + # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects + net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.all.send_redirects = 0 +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040670Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040670Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72295SV-86919CCI-000366Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. @@ -4036,26 +4008,27 @@ $ rpm -qa | grep xorg | grep server Ask the System Administrator if use of a graphical user interface is an operational requirement. If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding. -SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040740The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86933V-72309CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040740The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86933V-72309CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.ip_forward = 0 + net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router. - -# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/* + # sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router. -net.ipv4.ip_forward = 0 + # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.ip_forward = 0 -If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system does not implement IP forwarding using the following command: -# /sbin/sysctl -a | grep net.ipv4.ip_forward -net.ipv4.ip_forward = 0 + # /sbin/sysctl -a | grep net.ipv4.ip_forward + net.ipv4.ip_forward = 0 -If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. +If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding. + +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts. @@ -4139,28 +4112,29 @@ If the "IPsec" service is active, check to see if any tunnels are configured in If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. -If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv6.conf.all.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable. + # sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable. Verify the system does not accept IPv6 source-routed packets. -# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* - -net.ipv6.conf.all.accept_source_route = 0 + # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv6.conf.all.accept_source_route = 0 -If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. +If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route -net.ipv6.conf.all.accept_source_route = 0 + # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route + net.ipv6.conf.all.accept_source_route = 0 -If the returned lines do not have a value of "0", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041001The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If the returned lines do not have a value of "0", this is a finding. + +If conflicting results are returned, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041001The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. @@ -4225,7 +4199,7 @@ cert_policy = ca, ocsp_on, signature; There should be at least three lines returned. -If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command: +If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command: #nmcli radio wifi offVerify that there are no wireless interfaces configured on the system. @@ -4278,40 +4252,36 @@ The virus scanning software should be configured to perform scans dynamically on If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72213SV-86837CCI-001668CCI-000366Install an antivirus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. -If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010062The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. - -The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. +If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010062The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + +The session lock is implemented at the point where session activity can be determined. + +The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock-enabled setting: -/org/gnome/desktop/screensaver/lock-enabled -Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local + # grep system-db /etc/dconf/profile/user + system-db:local Check for the lock-enabled setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i lock-enabled /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/screensaver/lock-enabled + # grep -i lock-enabled /etc/dconf/db/local.d/locks/* + /org/gnome/desktop/screensaver/lock-enabled -If the command does not return a result, this is a finding. -SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020111The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. +If the command does not return a result, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020111The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-100023SV-109127CCI-000366CCI-000778CCI-001958Configure the graphical user interface to disable the ability to automount devices. @@ -4412,21 +4382,21 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: -Defaults !targetpw -Defaults !rootpw -Defaults !runaspw +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: + Defaults !targetpw + Defaults !rootpw + Defaults !runaspw Remove any configurations that conflict with the above from the following locations: -/etc/sudoers -/etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. + /etc/sudoers + /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. -$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' + $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' -/etc/sudoers:Defaults !targetpw -/etc/sudoers:Defaults !rootpw -/etc/sudoers:Defaults !runaspw + /etc/sudoers:Defaults !targetpw + /etc/sudoers:Defaults !rootpw + /etc/sudoers:Defaults !runaspw If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. @@ -4492,7 +4462,7 @@ $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers -If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020021The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020021The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to confine SELinux users to roles that conform to least privilege. @@ -4519,7 +4489,7 @@ unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r -If the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020022The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020022The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to prevent privileged accounts from utilizing SSH. Use the following command to set the "ssh_sysadm_login" boolean to "off": @@ -4538,7 +4508,7 @@ Check the SELinux ssh_sysadm_login boolean with the following command: $ sudo getsebool ssh_sysadm_login ssh_sysadm_login --> off -If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the /etc/sudoers.d directory with the following command: @@ -4604,21 +4574,43 @@ Check the configuration of the "/etc/pam.d/sudo" file with the following command $ sudo grep pam_succeed_if /etc/pam.d/sudo -If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. +If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. -This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install the AIDE package by running the following command: +This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install AIDE, initialize it, and perform a manual check. -$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. +Install AIDE: + $ sudo yum install aide -Check that the AIDE package is installed with the following command: +Initialize it: + $ sudo /usr/sbin/aide --init + + AIDE, version 0.15.1 + ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. + +The new database will need to be renamed to be read by AIDE: + $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + +Perform a manual check: + $ sudo /usr/sbin/aide --check + + AIDE, version 0.15.1 + ### All files match AIDE database. Looks okay! -$ sudo rpm -q aide +Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. -aide-0.15.1-13.el7.x86_64 +Check that the AIDE package is installed with the following command: + $ sudo rpm -q aide + + aide-0.15.1-13.el7.x86_64 If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. -If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>RHEL-07-010271The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. +If there is no application installed to perform integrity checks, this is a finding. + +If AIDE is installed, check if it has been initialized with the following command: + $ sudo /usr/sbin/aide --check + +If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>RHEL-07-010271The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. @@ -4633,4 +4625,138 @@ For every existing emergency account, run the following command to obtain its ac $ sudo chage -l system_account_name Verify each of these accounts has an expiration date set within 72 hours. -If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding. \ No newline at end of file +If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040712The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": + + KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 + +Restart the "sshd" service for changes to take effect: + + $ sudo systemctl restart sshdVerify that the SSH server is configured to use only FIPS-validated key exchange algorithms: + + $ sudo grep -i kexalgorithms /etc/ssh/sshd_config + KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 + +If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010090The Red Hat Enterprise Linux operating system must have the screen package installed.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The screen and tmux packages allow for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000057Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity. + +Install the screen program (if it is not on the system) with the following command: + + # yum install screen + +OR + +Install the tmux program (if it is not on the system) with the following command: + + # yum install tmuxVerify the operating system has the screen package installed. + +Check to see if the screen package is installed with the following command: + + # yum list installed screen + screen-4.3.1-3-x86_64.rpm + +If the screen package is not installed, check to see if the tmux package is installed with the following command: + + # yum list installed tmux + tmux-1.8-4.el7.x86_64.rpm + +If either the screen package or the tmux package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-07-010375The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a non-privileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-001090Configure the operating system to restrict access to the kernel message buffer. + +Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: + + kernel.dmesg_restrict = 1 + +Remove any configurations that conflict with the above from the following locations: + /run/sysctl.d/ + /etc/sysctl.d/ + /usr/local/lib/sysctl.d/ + /usr/lib/sysctl.d/ + /lib/sysctl.d/ + /etc/sysctl.conf + +Reload settings from all system configuration files with the following command: + + $ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: + + $ sudo sysctl kernel.dmesg_restrict + kernel.dmesg_restrict = 1 + +If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. + +Check that the configuration files are present to enable this kernel parameter: + + $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + /etc/sysctl.conf:kernel.dmesg_restrict = 1 + /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 + +If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010199The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.<VulnDiscussion>When using the authconfig utility to modify authentication configuration settings, the "system-auth" and "password-auth" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000196Create custom configuration files and their corresponding symbolic links: + +Rename the existing configuration files (skip this step if symbolic links are already present): + $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac + $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac + +Create custom system-auth configuration file: + $ sudo vi /etc/pam.d/system-auth-local + +The new file, at minimum, must contain the following lines: + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include system-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include system-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include system-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include system-auth-ac + +Create custom password-auth configuration file: + $ sudo vi /etc/pam.d/password-auth-local + +The new file, at minimum, must contain the following lines: + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include password-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include password-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include password-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include password-auth-ac + +Create new or move existing symbolic links to the new custom configuration files: + $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth + $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth + +Once finished you should have the following file structure: + $ sudo ls -1 /etc/pam.d/{password,system}-auth* + + /etc/pam.d/password-auth + /etc/pam.d/password-auth-ac + /etc/pam.d/password-auth-local + /etc/pam.d/system-auth + /etc/pam.d/system-auth-ac + /etc/pam.d/system-auth-local + +Done. + +Note: With this solution in place any custom settings to "system-auth" and "password-auth" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to "system-auth-ac" and "password-auth-ac" and continue to function as expected.Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": + $ sudo ls -l /etc/pam.d/{password,system}-auth + + lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local + lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local + +If system-auth and password-auth files are not symbolic links, this is a finding. + +If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding. \ No newline at end of file From c158305bfa79771c20e71794bdd1ef49e21c7cd4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Jan 2023 14:03:39 +0100 Subject: [PATCH 2/3] Update DISA STIG RHEL7 SCAP content to V3R10 --- ...l => disa-stig-rhel7-v3r10-xccdf-scap.xml} | 1571 +++++++---------- 1 file changed, 656 insertions(+), 915 deletions(-) rename shared/references/{disa-stig-rhel7-v3r9-xccdf-scap.xml => disa-stig-rhel7-v3r10-xccdf-scap.xml} (93%) diff --git a/shared/references/disa-stig-rhel7-v3r9-xccdf-scap.xml b/shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml similarity index 93% rename from shared/references/disa-stig-rhel7-v3r9-xccdf-scap.xml rename to shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml index e2f20af4c5b..ee53d14169c 100644 --- a/shared/references/disa-stig-rhel7-v3r9-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel7-v3r10-xccdf-scap.xml @@ -1,37 +1,37 @@ - - + + - + - + - + - + - - + + - + Red Hat Enterprise Linux 7 - oval:mil.disa.stig.rhel7:def:1 + oval:mil.disa.stig.rhel7:def:1 - + - accepted + accepted Red Hat Enterprise Linux 7 STIG SCAP Benchmark This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. @@ -41,11 +41,11 @@ DISA STIG.DOD.MIL - Release: 3.9 Benchmark Date: 27 Oct 2022 + Release: 3.10 Benchmark Date: 26 Jan 2023 3.4.0.34222 1.10.0 - 003.009 + 003.010 DISA DISA @@ -1532,13 +1532,13 @@ CAT I Only This profile only includes rules that are Severity Category I. - + - - - - - + + + + + @@ -1549,23 +1549,23 @@ - - - + + + - + - - + + - + @@ -1584,16 +1584,16 @@ - - - - - - - - - - + + + + + + + + + + @@ -1632,10 +1632,10 @@ - - + + - + @@ -1644,31 +1644,31 @@ - + - + - + - - - - - - - + + + + + + + - - + + - + @@ -1948,14 +1948,14 @@ Update the system databases: Users must log out and back in again before the system-wide settings take effect. - + SRG-OS-000028-GPOS-00009 <GroupDescription></GroupDescription> - + RHEL-07-010060 The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -1976,25 +1976,25 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion SV-86515 V-71891 CCI-000056 - Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. + Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: -# Set this to true to lock the screen when the screensaver activates -lock-enabled=true + # Set this to true to lock the screen when the screensaver activates + lock-enabled=true Update the system databases: -# dconf update + # dconf update Users must log out and back in again before the system-wide settings take effect. - + - + @@ -2038,14 +2038,14 @@ Update the system databases: # dconf update - + SRG-OS-000029-GPOS-00010 <GroupDescription></GroupDescription> - + RHEL-07-010070 The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. @@ -2062,36 +2062,36 @@ The session lock is implemented at the point where session activity can be deter V-71893 SV-86517 CCI-000057 - Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. + Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: -[org/gnome/desktop/session] -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 + [org/gnome/desktop/session] + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 You must include the "uint32" along with the integer key values as shown. Update the system databases: -# dconf update + # dconf update Users must log out and back in again before the system-wide settings take effect. - + - + SRG-OS-000029-GPOS-00010 <GroupDescription></GroupDescription> - + RHEL-07-010081 The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface. <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. @@ -2108,27 +2108,27 @@ The session lock is implemented at the point where session activity can be deter V-73155 SV-87807 CCI-000057 - Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. + Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock delay: -/org/gnome/desktop/screensaver/lock-delay - + /org/gnome/desktop/screensaver/lock-delay + - + SRG-OS-000029-GPOS-00010 <GroupDescription></GroupDescription> - + RHEL-07-010100 The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. @@ -2145,33 +2145,33 @@ The session lock is implemented at the point where session activity can be deter V-71899 SV-86523 CCI-000057 - Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. + Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Add the setting to enable screensaver locking after 15 minutes of inactivity: -[org/gnome/desktop/screensaver] + [org/gnome/desktop/screensaver] -idle-activation-enabled=true + idle-activation-enabled=true Update the system databases: -# dconf update + # dconf update Users must log out and back in again before the system-wide settings take effect. - + - + SRG-OS-000029-GPOS-00010 <GroupDescription></GroupDescription> - + RHEL-07-010101 The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. @@ -2189,27 +2189,27 @@ The ability to enable/disable a session lock is given to the user by default. Di V-78997 SV-93703 CCI-000057 - Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. + Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver idle-activation-enabled setting: -/org/gnome/desktop/screensaver/idle-activation-enabled - + /org/gnome/desktop/screensaver/idle-activation-enabled + - + SRG-OS-000029-GPOS-00010 <GroupDescription></GroupDescription> - + RHEL-07-010110 The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. @@ -2226,27 +2226,27 @@ The session lock is implemented at the point where session activity can be deter V-71901 SV-86525 CCI-000057 - Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. + Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Add the setting to enable session locking when a screensaver is activated: -[org/gnome/desktop/screensaver] -lock-delay=uint32 5 + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 The "uint32" must be included along with the integer key values as shown. Update the system databases: -# dconf update + # dconf update Users must log out and back in again before the system-wide settings take effect. - + - + @@ -2274,7 +2274,7 @@ Add the following line to "/etc/pam.d/passwd" (or modify the line to have the re password substack system-auth - + @@ -2305,7 +2305,7 @@ password required pam_pwquality.so retry=3 Note: The value of "retry" should be between "1" and "3". - + @@ -2337,7 +2337,7 @@ ucredit = -1 - + @@ -2370,7 +2370,7 @@ lcredit = -1 - + @@ -2402,7 +2402,7 @@ dcredit = -1 - + @@ -2434,7 +2434,7 @@ ocredit = -1 - + @@ -2466,7 +2466,7 @@ difok = 8 - + @@ -2498,7 +2498,7 @@ minclass = 4 - + @@ -2530,7 +2530,7 @@ maxrepeat = 3 - + @@ -2562,14 +2562,14 @@ maxclassrepeat = 4 - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - + RHEL-07-010200 The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords. <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2584,25 +2584,25 @@ maxclassrepeat = 4 V-71919 SV-86543 CCI-000196 - Configure the operating system to store only SHA512 encrypted representations of passwords. + Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/system-auth": -pam_unix.so sha512 shadow try_first_pass use_authtok + pam_unix.so sha512 shadow try_first_pass use_authtok Add the following line in "/etc/pam.d/password-auth": -pam_unix.so sha512 shadow try_first_pass use_authtok + pam_unix.so sha512 shadow try_first_pass use_authtok -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement. - +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used. + - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - + RHEL-07-010210 The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords. <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2624,14 +2624,14 @@ Add or update the following line in "/etc/login.defs": ENCRYPT_METHOD SHA512 - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - + RHEL-07-010220 The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2653,7 +2653,7 @@ Add or update the following line in "/etc/libuser.conf" in the [defaults] sectio crypt_style = sha512 - + @@ -2683,7 +2683,7 @@ PASS_MIN_DAYS 1 - + @@ -2709,7 +2709,7 @@ PASS_MIN_DAYS 1 # chage -m 1 [user] - + @@ -2739,7 +2739,7 @@ PASS_MAX_DAYS 60 - + @@ -2765,14 +2765,14 @@ PASS_MAX_DAYS 60 # chage -M 60 [user] - + SRG-OS-000077-GPOS-00045 <GroupDescription></GroupDescription> - + RHEL-07-010270 The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations. <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2787,17 +2787,17 @@ PASS_MAX_DAYS 60 V-71933 SV-86557 CCI-000200 - Configure the operating system to prohibit password reuse for a minimum of five generations. + Configure the operating system to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement. - +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used. + - + @@ -2829,14 +2829,14 @@ minlen = 15 - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-010290 The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords. <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2851,14 +2851,14 @@ minlen = 15 V-71937 SV-86561 CCI-000366 - If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. + If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement. - +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used. + - + @@ -2887,7 +2887,7 @@ PermitEmptyPasswords no The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. - + @@ -2919,7 +2919,7 @@ INACTIVE=35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - + @@ -2958,7 +2958,7 @@ $ sudo grep -ir nopasswd /etc/sudoers.d Remove any occurrences of "NOPASSWD" tags in the file. - + @@ -2997,7 +2997,7 @@ Check the configuration of the "/etc/sudoers.d/*" files with the following comma Remove any occurrences of "!authenticate" tags in the file(s). - + @@ -3029,14 +3029,14 @@ FAIL_DELAY 4 - + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - + RHEL-07-010440 The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface. <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3061,14 +3061,14 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se AutomaticLoginEnable=false - + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - + RHEL-07-010450 The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system. <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3093,14 +3093,14 @@ Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] sectio TimedLoginEnable=false - + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - + RHEL-07-010460 The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables. <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3124,14 +3124,14 @@ PermitUserEnvironment no The SSH service must be restarted for changes to take effect. - + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - + RHEL-07-010470 The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system. <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -3155,7 +3155,7 @@ HostbasedAuthentication no The SSH service must be restarted for changes to take effect. - + @@ -3183,7 +3183,7 @@ Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" t ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" - + @@ -3214,7 +3214,7 @@ Enter password: Confirm password: - + @@ -3245,7 +3245,7 @@ Enter password: Confirm password: - + @@ -3278,7 +3278,7 @@ If a privileged user were to log on using this service, the privileged user pass # yum remove rsh-server - + @@ -3305,19 +3305,19 @@ If a privileged user were to log on using this service, the privileged user pass # yum remove ypserv - + SRG-OS-000363-GPOS-00150 <GroupDescription></GroupDescription> - + RHEL-07-020030 The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly. <VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 7 DISA @@ -3329,22 +3329,22 @@ Detecting such changes and providing an automated response can help avoid uninte SV-86597 V-71973 CCI-001744 - Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: + Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: -# more /etc/cron.daily/aide -#!/bin/bash + # more /etc/cron.daily/aide + #!/bin/bash -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil - + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil + - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - + RHEL-07-020050 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3368,14 +3368,14 @@ Verifying the authenticity of the software prior to installation validates the i gpgcheck=1 - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - + RHEL-07-020060 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3399,7 +3399,7 @@ Verifying the authenticity of the software prior to installation validates the i localpkg_gpgcheck=1 - + @@ -3443,7 +3443,7 @@ Add or update the line: blacklist usb-storage - + @@ -3483,7 +3483,7 @@ Add or update the line: blacklist dccp - + @@ -3519,7 +3519,7 @@ Turn off the automount service with the following commands: If "autofs" is required for Network File System (NFS), it must be documented with the ISSO. - + @@ -3548,7 +3548,7 @@ Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file clean_requirements_on_remove=1 - + @@ -3578,7 +3578,7 @@ UMASK 077 - + @@ -3605,7 +3605,7 @@ Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Upgrade to a supported version of the operating system. - + @@ -3630,7 +3630,7 @@ Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group". - + @@ -3657,7 +3657,7 @@ Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - + @@ -3684,7 +3684,7 @@ If the account is associated with system commands or applications, the UID shoul CREATE_HOME yes - + @@ -3717,7 +3717,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom # chmod 0750 /home/smithj - + @@ -3742,7 +3742,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - + @@ -3767,7 +3767,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - + @@ -3794,7 +3794,7 @@ The only authorized public directories are those temporary directories supplied All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group. - + @@ -3821,7 +3821,7 @@ The only authorized public directories are those temporary directories supplied # chown root /etc/cron.allow - + @@ -3848,7 +3848,7 @@ The only authorized public directories are those temporary directories supplied # chgrp root /etc/cron.allow - + @@ -3873,7 +3873,7 @@ The only authorized public directories are those temporary directories supplied Migrate the "/home" directory onto a separate file system/partition. - + @@ -3898,7 +3898,7 @@ The only authorized public directories are those temporary directories supplied Migrate the "/var" path onto a separate file system. - + @@ -3922,7 +3922,7 @@ The only authorized public directories are those temporary directories supplied Migrate the system audit data path onto a separate file system. - + @@ -3953,14 +3953,14 @@ OR Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point. - + SRG-OS-000033-GPOS-00014 <GroupDescription></GroupDescription> - + RHEL-07-021350 The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. @@ -4034,7 +4034,7 @@ If the file /etc/system-fips does not exists, recreate it: Reboot the system for the changes to take effect. - + @@ -4065,7 +4065,7 @@ Examples of non-essential capabilities include, but are not limited to, games, s # yum remove telnet-server - + @@ -4101,14 +4101,14 @@ Enable the auditd service with the following command: # systemctl start auditd.service - + SRG-OS-000046-GPOS-00022 <GroupDescription></GroupDescription> - + RHEL-07-030010 The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. @@ -4129,37 +4129,37 @@ Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion V-72081 SV-86705 CCI-000139 - Configure the operating system to shut down in the event of an audit processing failure. + Configure the operating system to shut down in the event of an audit processing failure. Add or correct the option to shut down the operating system with the following command: -# auditctl -f 2 + # auditctl -f 2 Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: --f 2 + -f 2 If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: -# auditctl -f 1 + # auditctl -f 1 Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: --f 1 + -f 1 Kernel log monitoring must also be configured to properly alert designated staff. The audit daemon must be restarted for the changes to take effect. - + - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030201 The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4191,14 +4191,14 @@ The audit daemon must be restarted for changes to take effect: # service auditd restart - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030210 The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4227,14 +4227,14 @@ The audit daemon must be restarted for changes to take effect: # service auditd restart - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030211 The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4263,14 +4263,14 @@ The audit daemon must be restarted for changes to take effect: # service auditd restart - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030300 The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4293,14 +4293,14 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server. - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030310 The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -4325,14 +4325,14 @@ Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set i enable_krb5 = yes - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030320 The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full. <VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. @@ -4354,14 +4354,14 @@ Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.co disk_full_action = single - + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - + RHEL-07-030321 The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system. <VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. @@ -4383,14 +4383,14 @@ Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf network_failure_action = syslog - + SRG-OS-000343-GPOS-00134 <GroupDescription></GroupDescription> - + RHEL-07-030340 The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. <VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4411,14 +4411,14 @@ Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" an space_left_action = email - + SRG-OS-000343-GPOS-00134 <GroupDescription></GroupDescription> - + RHEL-07-030350 The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. <VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4441,7 +4441,7 @@ action_mail_acct = root - + @@ -4474,7 +4474,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4514,7 +4514,7 @@ Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -4555,7 +4555,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4596,7 +4596,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4642,7 +4642,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4680,7 +4680,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4718,7 +4718,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4756,7 +4756,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4793,7 +4793,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4830,7 +4830,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4867,7 +4867,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4906,7 +4906,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4945,7 +4945,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -4984,7 +4984,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5023,7 +5023,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5062,7 +5062,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5102,7 +5102,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5142,7 +5142,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5182,7 +5182,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5222,7 +5222,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5262,7 +5262,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5302,7 +5302,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5340,7 +5340,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5378,7 +5378,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5416,7 +5416,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5455,7 +5455,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5494,7 +5494,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5527,7 +5527,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5563,7 +5563,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5602,7 +5602,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5639,7 +5639,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5675,7 +5675,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5713,7 +5713,7 @@ Add or update the following rule "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5749,7 +5749,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5785,7 +5785,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + @@ -5821,7 +5821,7 @@ Add or update the following file system rule in "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5858,7 +5858,7 @@ The audit daemon must be restarted for the changes to take effect: # systemctl restart auditd - + @@ -5898,14 +5898,14 @@ Add the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect. - + SRG-OS-000027-GPOS-00008 <GroupDescription></GroupDescription> - + RHEL-07-040000 The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. <VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. @@ -5930,14 +5930,14 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - + SRG-OS-000033-GPOS-00014 <GroupDescription></GroupDescription> - + RHEL-07-040110 The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. <VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -5971,7 +5971,7 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr The SSH service must be restarted for changes to take effect. - + @@ -6006,14 +6006,14 @@ Create a script to enforce the inactivity timeout (for example /etc/profile.d/tm declare -xr TMOUT=900 - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040201 The Red Hat Enterprise Linux operating system must implement virtual address space randomization. <VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6027,18 +6027,18 @@ declare -xr TMOUT=900 SV-92521 V-77825 CCI-000366 - Configure the operating system implement virtual address space randomization. + Configure the operating system implement virtual address space randomization. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -kernel.randomize_va_space = 2 + kernel.randomize_va_space = 2 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + @@ -6074,7 +6074,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO # yum install openssh-server.x86_64 - + @@ -6111,7 +6111,7 @@ The SSH service must be restarted for changes to take effect. - + @@ -6142,7 +6142,7 @@ RhostsRSAAuthentication no The SSH service must be restarted for changes to take effect. - + @@ -6178,7 +6178,7 @@ ClientAliveCountMax 0 The SSH service must be restarted for changes to take effect. - + @@ -6207,7 +6207,7 @@ Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set IgnoreRhosts yes - + @@ -6238,7 +6238,7 @@ PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect. - + @@ -6269,7 +6269,7 @@ PermitRootLogin no The SSH service must be restarted for changes to take effect. - + @@ -6300,14 +6300,14 @@ IgnoreUserKnownHosts yes The SSH service must be restarted for changes to take effect. - + SRG-OS-000074-GPOS-00042 <GroupDescription></GroupDescription> - + RHEL-07-040390 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol. <VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. @@ -6332,14 +6332,14 @@ Protocol 2 The SSH service must be restarted for changes to take effect. - + SRG-OS-000250-GPOS-00093 <GroupDescription></GroupDescription> - + RHEL-07-040400 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. <VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. @@ -6363,7 +6363,7 @@ MACs hmac-sha2-512,hmac-sha2-256 The SSH service must be restarted for changes to take effect. - + @@ -6392,16 +6392,16 @@ Change the mode of public host key files under "/etc/ssh" to "0644" with the fol # chmod 0644 /etc/ssh/*.key.pub - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040420 - The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive. + The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive. <VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 7 @@ -6414,12 +6414,12 @@ Change the mode of public host key files under "/etc/ssh" to "0644" with the fol V-72257 SV-86881 CCI-000366 - Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command: + Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: -# chmod 0600 /path/to/file/ssh_host*key - +# chmod 0640 /path/to/file/ssh_host*key + - + @@ -6453,7 +6453,7 @@ The SSH service must be restarted for changes to take effect. If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - + @@ -6488,7 +6488,7 @@ The SSH service must be restarted for changes to take effect. If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - + @@ -6517,7 +6517,7 @@ StrictModes yes The SSH service must be restarted for changes to take effect. - + @@ -6546,14 +6546,14 @@ UsePrivilegeSeparation sandbox The SSH service must be restarted for changes to take effect. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040470 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication. <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6567,14 +6567,14 @@ The SSH service must be restarted for changes to take effect. SV-86891 V-72267 CCI-000366 - Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": + Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": -Compression no + Compression no The SSH service must be restarted for changes to take effect. - + - + @@ -6602,7 +6602,7 @@ Add the following line to the top of "/etc/pam.d/postlogin": session required pam_lastlog.so showfailed - + @@ -6628,7 +6628,7 @@ session required pam_lastlog.so showfailed # rm /[path]/[to]/[file]/.shosts - + @@ -6654,14 +6654,14 @@ session required pam_lastlog.so showfailed # rm /[path]/[to]/[file]/shosts.equiv - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040610 The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6676,24 +6676,24 @@ session required pam_lastlog.so showfailed V-72283 SV-86907 CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl -system - + # sysctl -system + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040620 The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6708,24 +6708,24 @@ Issue the following command to make the changes take effect: V-72285 SV-86909 CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040630 The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. <VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6740,24 +6740,24 @@ Issue the following command to make the changes take effect: V-72287 SV-86911 CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.icmp_echo_ignore_broadcasts = 1 + net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040640 The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6772,24 +6772,24 @@ Issue the following command to make the changes take effect: SV-86913 V-72289 CCI-000366 - Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040641 The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6804,24 +6804,24 @@ Issue the following command to make the changes take effect: SV-87827 V-73175 CCI-000366 - Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040650 The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6836,25 +6836,25 @@ Issue the following command to make the changes take effect: V-72291 SV-86915 CCI-000366 - Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. + Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040660 The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6869,18 +6869,18 @@ Issue the following command to make the changes take effect: V-72293 SV-86917 CCI-000366 - Configure the system to not allow interfaces to perform IPv4 ICMP redirects. + Configure the system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + @@ -6906,7 +6906,7 @@ Issue the following command to make the changes take effect: # yum remove vsftpd - + @@ -6937,7 +6937,7 @@ Issue the following command to make the changes take effect: # yum remove tftp-server - + @@ -6970,7 +6970,7 @@ The SSH service must be restarted for changes to take effect: # systemctl restart sshd - + @@ -7003,14 +7003,14 @@ $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-ut A reboot is required for the changes to take effect. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040740 The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -7025,16 +7025,16 @@ A reboot is required for the changes to take effect. SV-86933 V-72309 CCI-000366 - Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.ip_forward = 0 + net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + @@ -7059,14 +7059,14 @@ Issue the following command to make the changes take effect: If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-040830 The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -7081,17 +7081,17 @@ Issue the following command to make the changes take effect: V-72319 SV-86943 CCI-000366 - Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv6.conf.all.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl --system - + # sysctl --system + - + @@ -7131,7 +7131,7 @@ Install the pam_pkcs11 package with the following command: # yum install pam_pkcs11 - + @@ -7170,7 +7170,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPO Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam. - + @@ -7208,7 +7208,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPO Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". - + @@ -7245,7 +7245,7 @@ Alternatively, the package can be reinstalled from trusted media using the comma # sudo rpm -Uvh <packagename> - + @@ -7269,14 +7269,14 @@ ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-07-010342 The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo". <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. @@ -7289,17 +7289,17 @@ For more information on each of the listed configurations, reference the sudoers 2899 CCI-002227 - Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: -Defaults !targetpw -Defaults !rootpw -Defaults !runaspw + Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: + Defaults !targetpw + Defaults !rootpw + Defaults !runaspw Remove any configurations that conflict with the above from the following locations: -/etc/sudoers -/etc/sudoers.d/ - + /etc/sudoers + /etc/sudoers.d/ + - + @@ -7333,18 +7333,18 @@ Note: The "[value]" must be a number that is greater than or equal to "0". Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files. - + - + repotool 5.10 - 2022-09-28T11:12:03 + 2022-12-30T20:07:06 @@ -7445,9 +7445,9 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ - + - RHEL-07-040420 - The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive. + RHEL-07-040420 - The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive. Red Hat Enterprise Linux 7 @@ -7546,7 +7546,7 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ - + Disable Compression Or Set Compression to delayed @@ -7556,9 +7556,10 @@ Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ SSH should either have compression disabled or set to delayed. - + + @@ -7773,7 +7774,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration Check @@ -7782,11 +7783,8 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration. - - - - - + + @@ -7802,7 +7800,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration and Runtime Check @@ -7813,125 +7811,38 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The "net.ipv4.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - + + - + - Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. - - - - - - - - - - - - Kernel "net.ipv4.conf.all.accept_source_route" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime. - - - - - - - - - Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration and Runtime Check + The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. Red Hat Enterprise Linux 7 - The "net.ipv4.conf.all.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. - - - - - - - - - Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in the system configuration. - - - - - - - - - - - - Kernel "net.ipv4.conf.all.send_redirects" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in system runtime. - + ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. - + + - + - Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration and Runtime Check + The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. Red Hat Enterprise Linux 7 - The "net.ipv4.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime. + ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - - - - - - Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration. - - - - - - - - - - - - Kernel "net.ipv4.conf.default.accept_redirects" Parameter Runtime Check - - Red Hat Enterprise Linux 7 - - The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime. - - - - + + @@ -7949,7 +7860,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration Check @@ -7958,11 +7869,8 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration. - - - - - + + @@ -7993,7 +7901,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration Check @@ -8002,11 +7910,8 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in the system configuration. - - - - - + + @@ -8037,7 +7942,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration Check @@ -8046,11 +7951,8 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in the system configuration. - - - - - + + @@ -8081,7 +7983,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv4.ip_forward" Parameter Configuration Check @@ -8090,11 +7992,8 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The kernel "net.ipv4.ip_forward" parameter should be set to "0" in the system configuration. - - - - - + + @@ -8146,7 +8045,7 @@ If the value is set to an integer less than 0, the user's time stamp will not ex - + Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration Check @@ -8155,11 +8054,8 @@ If the value is set to an integer less than 0, the user's time stamp will not ex The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration. - - - - - + + @@ -10366,7 +10262,7 @@ By specifying a cipher list with the order of ciphers being in a "strongest to w - + Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check @@ -10376,11 +10272,8 @@ By specifying a cipher list with the order of ciphers being in a "strongest to w The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration. - - - - - + + @@ -10760,7 +10653,7 @@ This requirement only applies to components where this is specific to the functi - + RHEL-07-040201 - The Red Hat Enterprise Linux operating system must implement virtual address space randomization. @@ -10768,14 +10661,9 @@ This requirement only applies to components where this is specific to the functi Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques. - - - - - - - - + + + @@ -11021,19 +10909,15 @@ The ability to enable/disable a session lock is given to the user by default. Di - + - - - - - + - + @@ -11057,137 +10941,37 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - + + - - - - - - - - - - - - + - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + + + @@ -12063,15 +11847,6 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - - - - - - - @@ -12100,6 +11875,13 @@ The ability to enable/disable a session lock is given to the user by default. Di + + + + + + + @@ -12132,6 +11914,14 @@ The ability to enable/disable a session lock is given to the user by default. Di + + + + + + + + @@ -12370,24 +12160,14 @@ The ability to enable/disable a session lock is given to the user by default. Di - + - - - - - - - - - + + - - - - + @@ -12619,183 +12399,58 @@ The ability to enable/disable a session lock is given to the user by default. Di ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ 1 - - /etc/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /etc/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - + /etc/sysctl.conf - ^[\s]*net\.ipv4\.conf\.all\.send_redirects[\s]*=[\s]*0[\s]*$ + (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$ 1 - - /etc/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.all\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.all\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 + + + \.conf$ + (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$ + 1 - - /usr/lib/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.all\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 + + + oval:mil.disa.stig.rhel7:obj:2246 + oval:mil.disa.stig.rhel7:obj:2247 + - + /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.default\.accept_redirects[\s]*=[\s]*(\d+)\s*$ + (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$ 1 - - /etc/sysctl.d + + ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_redirects[\s]*=[\s]*(\d+)\s*$ + (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$ 1 - - /run/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_redirects[\s]*=[\s]*(\d+)\s*$ - 1 + + + oval:mil.disa.stig.rhel7:obj:2250 + oval:mil.disa.stig.rhel7:obj:2252 + /etc/sysctl.conf ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ 1 - - /etc/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - + /etc/sysctl.conf - ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 - - - /etc/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*0[\s]*$ - 1 + ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*(\d+)[\s]*$ + 1 /etc/sysctl.conf ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)\s*$ 1 - - /etc/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)\s*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)\s*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)\s*$ - 1 - - + /etc/sysctl.conf - ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*0[\s]*$ - 1 - - - /etc/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*0[\s]*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*0[\s]*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*0[\s]*$ + ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*(\d+)[\s]*$ 1 @@ -12803,24 +12458,6 @@ The ability to enable/disable a session lock is given to the user by default. Di ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ 1 - - /etc/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ - 1 - /etc/default/useradd ^\s*INACTIVE\s*=\s*(\d+)\s*$ @@ -14255,24 +13892,6 @@ The ability to enable/disable a session lock is given to the user by default. Di ^[\s]*net\.ipv6\.conf\.all\.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 - - /etc/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv6\.conf\.all\.disable_ipv6[\s]*=[\s]*1[\s]*$ - 1 - - - /run/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv6\.conf\.all\.disable_ipv6[\s]*=[\s]*1[\s]*$ - 1 - - - /usr/lib/sysctl.d - ^.*\.conf$ - ^[\s]*net\.ipv6\.conf\.all\.disable_ipv6[\s]*=[\s]*1[\s]*$ - 1 - @@ -14401,6 +14020,23 @@ The ability to enable/disable a session lock is given to the user by default. Di oval:mil.disa.stig.rhel7:obj:17901 + + + \.conf$ + (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$ + 1 + + + /etc/sysctl.conf + (?:^|.*\n)\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$ + 1 + + + + oval:mil.disa.stig.rhel7:obj:25101 + oval:mil.disa.stig.rhel7:obj:25102 + + /etc/audit/rules.d .*\.rules$ @@ -14735,33 +14371,26 @@ The ability to enable/disable a session lock is given to the user by default. Di ^\s*ExecStart=([^\n#]+)$ 1 - - /etc/sysctl.conf + + kernel.randomize_va_space + + + + \.conf$ ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ 1 - - - /etc/sysctl.d - ^.+\.conf$ + + /etc/sysctl.conf ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ 1 - - - oval:mil.disa.stig.rhel7:obj:9252100 - oval:mil.disa.stig.rhel7:ste:9252100 - - - - + + oval:mil.disa.stig.rhel7:obj:9252101 - oval:mil.disa.stig.rhel7:ste:9252100 + oval:mil.disa.stig.rhel7:obj:9252102 - - kernel.randomize_va_space - /etc/dconf/db/ @@ -14886,6 +14515,78 @@ The ability to enable/disable a session lock is given to the user by default. Di (?i)^\s*name_format[ ]*=[ ]*([\w]+)\s* 1 + + + oval:mil.disa.stig.rhel7:obj:2255 + oval:mil.disa.stig.rhel7:obj:20461201 + + + + + ^.*\.conf$ + ^\s*net\.ipv4\.conf\.default\.accept_source_route[\s]*=[\s]*(\d+)\s*$ + 1 + + + + oval:mil.disa.stig.rhel7:obj:2279 + oval:mil.disa.stig.rhel7:obj:20461301 + + + + + ^.*\.conf$ + (?:^|.*\n)\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ + 1 + + + + oval:mil.disa.stig.rhel7:obj:2221 + oval:mil.disa.stig.rhel7:obj:20461501 + + + + + ^.*\.conf$ + ^\s*net\.ipv4\.conf\.all\.accept_redirects[\s]*=[\s]*(\d+)\s*$ + 1 + + + + oval:mil.disa.stig.rhel7:obj:2275 + oval:mil.disa.stig.rhel7:obj:20461601 + + + + + ^.*\.conf$ + ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=[\s]*(\d+)[\s]*$ + 1 + + + + oval:mil.disa.stig.rhel7:obj:2289 + oval:mil.disa.stig.rhel7:obj:20462501 + + + + + ^.*\.conf$ + ^[\s]*net\.ipv4\.ip_forward[\s]*=[\s]*(\d+)[\s]*$ + 1 + + + + oval:mil.disa.stig.rhel7:obj:2308 + oval:mil.disa.stig.rhel7:obj:20463001 + + + + + \.conf$ + ^\s*net\.ipv6\.conf\.all\.accept_source_route[\s]*=[\s]*(\d+)\s*$ + 1 + @@ -14915,12 +14616,11 @@ The ability to enable/disable a session lock is given to the user by default. Di 0 - + false false false false - false false false false @@ -14943,20 +14643,14 @@ The ability to enable/disable a session lock is given to the user by default. Di ^hmac-sha2-512,hmac-sha2-256$ - - - - - - 0 - - + + 0 - - + + 0 0 @@ -14970,23 +14664,14 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - - - - - - - - - + + 0 - - + + 0 - - + + 1 35 @@ -15122,6 +14807,15 @@ The ability to enable/disable a session lock is given to the user by default. Di 0 + + 0 + + + 0 + + + 0 + 0 @@ -15191,6 +14885,12 @@ The ability to enable/disable a session lock is given to the user by default. Di 7.1 + + 7.2 + + + 7.3 + /bin/true @@ -15293,12 +14993,12 @@ The ability to enable/disable a session lock is given to the user by default. Di ['"; ]*\/usr\/sbin\/sulogin['"; ]* - - 2 - - + 2 + + 2 + @@ -15320,6 +15020,12 @@ The ability to enable/disable a session lock is given to the user by default. Di (?i)^hostname|fqd|numeric$ + + 0 + + + 0 + @@ -15353,6 +15059,34 @@ The ability to enable/disable a session lock is given to the user by default. Di /boot/grub2/grub.cfg /boot/efi/EFI/redhat/grub.cfg + + /etc/sysctl.d + /run/sysctl.d + /lib/sysctl.d + /usr/lib/sysctl.d + /usr/local/lib/sysctl.d + + + /etc/sysctl.d + /run/sysctl.d + /lib/sysctl.d + /usr/lib/sysctl.d + /usr/local/lib/sysctl.d + + + /etc/sysctl.d + /run/sysctl.d + /lib/sysctl.d + /usr/lib/sysctl.d + /usr/local/lib/sysctl.d + + + /etc/sysctl.d + /run/sysctl.d + /lib/sysctl.d + /usr/lib/sysctl.d + /usr/local/lib/sysctl.d + @@ -15402,6 +15136,13 @@ The ability to enable/disable a session lock is given to the user by default. Di /locks + + /etc/sysctl.d + /run/sysctl.d + /usr/local/lib/sysctl.d + /usr/lib/sysctl.d + /lib/sysctl.d + @@ -15416,12 +15157,12 @@ The ability to enable/disable a session lock is given to the user by default. Di - + repotool 5.10 - 2022-09-28T11:12:03 + 2022-12-30T20:07:06 From c85fc395a12485378758c659142b7cea0cf810de Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 18 Jan 2023 14:15:20 +0100 Subject: [PATCH 3/3] Update RHEL7 STIG to V3R10 --- products/rhel7/profiles/stig.profile | 4 ++-- products/rhel7/profiles/stig_gui.profile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile index 2cbdb979c0d..190ed325ef3 100644 --- a/products/rhel7/profiles/stig.profile +++ b/products/rhel7/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V3R9 + version: V3R10 SMEs: - ggbecker @@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V3R9. + DISA STIG for Red Hat Enterprise Linux V3R10. In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile index e4356140dbf..cb8a23aa168 100644 --- a/products/rhel7/profiles/stig_gui.profile +++ b/products/rhel7/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V3R9 + version: V3R10 SMEs: - ggbecker @@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux V3R9. + DISA STIG with GUI for Red Hat Enterprise Linux V3R10. In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of