From 180e55bd481a8eab8c5815c8b868f4a15a722af3 Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Wed, 18 Jan 2023 17:58:46 -0600 Subject: [PATCH 1/5] OL7 STIG v2r10 update Bump version on both stig and stig_gui OL7 profiles to v2r10 Update the XCCDF manual reference Add rule package_screen_installed to OL7 stig profile Signed-off-by: Federico Ramirez --- products/ol7/profiles/stig.profile | 3 +- products/ol7/profiles/stig_gui.profile | 2 +- ...l => disa-stig-ol7-v2r10-xccdf-manual.xml} | 959 ++++++++++-------- 3 files changed, 552 insertions(+), 412 deletions(-) rename shared/references/{disa-stig-ol7-v2r9-xccdf-manual.xml => disa-stig-ol7-v2r10-xccdf-manual.xml} (84%) diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 7370b5dcf84..3e00f3aae68 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -4,7 +4,7 @@ title: 'DISA STIG for Oracle Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG for Oracle Linux V2R9. + DISA STIG for Oracle Linux V2R10. selections: - login_banner_text=dod_banners @@ -332,3 +332,4 @@ selections: - auditd_audispd_remote_daemon_path - auditd_audispd_remote_daemon_type - account_emergency_expire_date + - package_screen_installed diff --git a/products/ol7/profiles/stig_gui.profile b/products/ol7/profiles/stig_gui.profile index 089a2252ee3..6091a48bb68 100644 --- a/products/ol7/profiles/stig_gui.profile +++ b/products/ol7/profiles/stig_gui.profile @@ -4,7 +4,7 @@ title: 'DISA STIG with GUI for Oracle Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Oracle Linux V2R9. + DISA STIG with GUI for Oracle Linux V2R10. Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If diff --git a/shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml b/shared/references/disa-stig-ol7-v2r10-xccdf-manual.xml similarity index 84% rename from shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml rename to shared/references/disa-stig-ol7-v2r10-xccdf-manual.xml index 45b7a095606..6fdab3881a1 100644 --- a/shared/references/disa-stig-ol7-v2r9-xccdf-manual.xml +++ b/shared/references/disa-stig-ol7-v2r10-xccdf-manual.xml @@ -1,27 +1,29 @@ -acceptedOracle Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 27 Oct 20223.4.0.342221.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>OL07-00-010010The Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. +acceptedOracle Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 10 Benchmark Date: 26 Jan 20233.4.0.342221.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>OL07-00-010010The Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. -Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99045SV-108149CCI-001494CCI-001496Run the following command to determine which package owns the file: +Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99045SV-108149CCI-001494CCI-001496Run the following command to determine which package owns the file: -# rpm -qf <filename> + # rpm -qf <filename> Reset the user and group ownership of files within a package with the following command: -# rpm --setugids <packagename> + # rpm --setugids <packagename> Reset the permissions of files within a package with the following command: -# rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. + # rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. Check the default file permissions, ownership, and group membership of system files and commands with the following command: -# for i in `rpm -Va | egrep '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done -/var/log/gdm 040755 root root -/etc/audisp/audisp-remote.conf 0100640 root root -/usr/bin/passwd 0104755 root root + # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done + + /var/log/gdm 040755 root root + /etc/audisp/audisp-remote.conf 0100640 root root + /usr/bin/passwd 0104755 root root For each file returned, verify the current permissions, ownership, and group membership: -# ls -la <filename> --rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf + # ls -la <filename> + + -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf If the file is more permissive than the default permissions, this is a finding. @@ -202,35 +204,35 @@ By using this IS (which includes any device attached to this IS), you consent to If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. -If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>OL07-00-010060The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>OL07-00-010060The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108159V-99055CCI-000056CCI-000058Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108159V-99055CCI-000056CCI-000058Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: -# Set this to true to lock the screen when the screensaver activates -lock-enabled=true + # Set this to true to lock the screen when the screensaver activates + lock-enabled=true Update the system databases: -# dconf update + # dconf update -Users must log out and then log in again before the system-wide settings take effect.Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console. +Users must log out and then log in again before the system-wide settings take effect.Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if the screen lock is enabled with the following command: -# grep -i lock-enabled /etc/dconf/db/local.d/* -lock-enabled=true + # grep -i lock-enabled /etc/dconf/db/local.d/* + lock-enabled=true If the "lock-enabled" setting is missing or is not set to "true", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>OL07-00-010061The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.<VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. @@ -266,210 +268,202 @@ Note: The example is using the database local for the system, so the path is "/e enable-smartcard-authentication=true -If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010062The Oracle Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010062The Oracle Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. -The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock ensures all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99059SV-108163CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. +The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock ensures all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99059SV-108163CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock-enabled setting: -/org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user + # grep system-db /etc/dconf/profile/user -system-db:local + system-db:local Check for the lock-enabled setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i lock-enabled /etc/dconf/db/local.d/locks/* + # grep -i lock-enabled /etc/dconf/db/local.d/locks/* -/org/gnome/desktop/screensaver/lock-enabled + /org/gnome/desktop/screensaver/lock-enabled -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010070The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock the operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled, and take action to initiate the session lock. +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010070The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock the operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled, and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99061SV-108165CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99061SV-108165CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: -[org/gnome/desktop/session] -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 + [org/gnome/desktop/session] + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 You must include the "uint32" along with the integer key values as shown. Update the system databases: -# dconf update + # dconf update -Users must log out and then log in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. +Users must log out and then log in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command: -# grep -i idle-delay /etc/dconf/db/local.d/* -idle-delay=uint32 900 + # grep -i idle-delay /etc/dconf/db/local.d/* + idle-delay=uint32 900 -If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010081The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock the operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled, and take action to initiate the session lock. +If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010081The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock the operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled, and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99063SV-108167CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99063SV-108167CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver lock delay: -/org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local + # grep system-db /etc/dconf/profile/user + system-db:local Check for the lock delay setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i lock-delay /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/screensaver/lock-delay + # grep -i lock-delay /etc/dconf/db/local.d/locks/* + /org/gnome/desktop/screensaver/lock-delay -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010082The Oracle Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock their operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled and take action to initiate the session lock. +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010082The Oracle Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock their operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99065SV-108169CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99065SV-108169CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the session idle delay: -/org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local + # grep system-db /etc/dconf/profile/user + system-db:local Check for the session idle delay setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i idle-delay /etc/dconf/db/local.d/locks/* + # grep -i idle-delay /etc/dconf/db/local.d/locks/* + /org/gnome/desktop/session/idle-delay -/org/gnome/desktop/session/idle-delay +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010100The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems must be able to identify when a user's session has idled and take action to initiate the session lock. -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010100The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems must be able to identify when a user's session has idled and take action to initiate the session lock. - -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108173V-99069CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108173V-99069CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Add the setting to enable screensaver locking after 15 minutes of inactivity: -[org/gnome/desktop/screensaver] - -idle-activation-enabled=true + [org/gnome/desktop/screensaver] + idle-activation-enabled=true Update the system databases: -# dconf update + # dconf update -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. -Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check for the session lock settings with the following commands: -# grep -i idle-activation-enabled /etc/dconf/db/local.d/* + # grep -i idle-activation-enabled /etc/dconf/db/local.d/* + idle-activation-enabled=true -idle-activation-enabled=true - -If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010101The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010101The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. -The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108175V-99071CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. +The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108175V-99071CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. -# touch /etc/dconf/db/local.d/locks/session + # touch /etc/dconf/db/local.d/locks/session Add the setting to lock the screensaver idle-activation-enabled setting: -/org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: -# grep system-db /etc/dconf/profile/user - -system-db:local + # grep system-db /etc/dconf/profile/user + system-db:local Check for the idle-activation-enabled setting with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/* - -/org/gnome/desktop/screensaver/idle-activation-enabled + # grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/* + /org/gnome/desktop/screensaver/idle-activation-enabled -If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010110The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock their operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled, and take action to initiate the session lock. +If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010110The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to lock their operating system session manually prior to leaving the workstation, operating systems must be able to identify when a user's session has idled, and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108177V-99073CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108177V-99073CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: -# touch /etc/dconf/db/local.d/00-screensaver + # touch /etc/dconf/db/local.d/00-screensaver Add the setting to enable session locking when a screensaver is activated: -[org/gnome/desktop/screensaver] -lock-delay=uint32 5 + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 The "uint32" must be included along with the integer key values as shown. Update the system databases: -# dconf update + # dconf update -Users must log out and then log in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. +Users must log out and then log in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command: -# grep -i lock-delay /etc/dconf/db/local.d/* -lock-delay=uint32 5 + # grep -i lock-delay /etc/dconf/db/local.d/* + lock-delay=uint32 5 If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>OL07-00-010118The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.<VulnDiscussion>Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108179V-99075CCI-000192Configure PAM to utilize /etc/pam.d/system-auth when changing passwords. @@ -605,7 +599,7 @@ Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.c $ sudo grep maxclassrepeat /etc/security/pwquality.conf maxclassrepeat = 4 -If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010200The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99095SV-108199CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010200The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99095SV-108199CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in "/etc/pam.d/system-auth": pam_unix.so sha512 shadow try_first_pass use_authtok @@ -613,17 +607,17 @@ pam_unix.so sha512 shadow try_first_pass use_authtok Add the following line in "/etc/pam.d/password-auth": pam_unix.so sha512 shadow try_first_pass use_authtok -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. +Note: Per requirement OL07-00-010199, Oracle Linux 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. Check that the system is configured to create SHA512 hashed passwords with the following command: -# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth + # grep password /etc/pam.d/system-auth /etc/pam.d/password-auth Outcome should look like following: -/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok -/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + /etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok -If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010210The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99097SV-108201CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010210The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99097SV-108201CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs": @@ -634,7 +628,7 @@ Check that the system is configured to create SHA512 hashed passwords with the f # grep -i encrypt /etc/login.defs ENCRYPT_METHOD SHA512 -If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010220The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108203V-99099CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. +If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010220The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108203V-99099CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/libuser.conf" in the [defaults] section: @@ -682,19 +676,18 @@ If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, t # awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>OL07-00-010270The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108213V-99109CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>OL07-00-010270The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108213V-99109CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the operating system prohibits password reuse for a minimum of five generations. +Note: Per requirement OL07-00-010199, Oracle Linux 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system prohibits password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: -# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth - -password requisite pam_pwhistory.so use_authtok remember=5 retry=3 + # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth + password requisite pam_pwhistory.so use_authtok remember=5 retry=3 If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>OL07-00-010280The Oracle Linux operating system must be configured so that passwords are a minimum of 15 characters in length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -709,13 +702,13 @@ Check for the value of the "minlen" option in "/etc/security/pwquality.conf" wit # grep minlen /etc/security/pwquality.conf minlen = 15 -If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-010290The Oracle Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99113SV-108217CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. +If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-010290The Oracle Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99113SV-108217CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.To verify that null passwords cannot be used, run the following command: +Note: Per requirement OL07-00-010199, Oracle Linux 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: -# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth + # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log on with accounts with empty passwords. @@ -744,23 +737,24 @@ Verify the operating system disables account identifiers (individuals, groups, r # grep -i inactive /etc/default/useradd INACTIVE=35 -If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL07-00-010320The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. +If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL07-00-010320The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99119SV-108223CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. +Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99119SV-108223CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so + +Note: Per requirement OL07-00-010199, Oracle Linux 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes, with the following command: + # grep pam_faillock.so /etc/pam.d/password-auth -# grep pam_faillock.so /etc/pam.d/password-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. @@ -773,10 +767,12 @@ If the "unlock_time" parameter is not set to "0", "never", or is set to a value Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding. -# grep pam_faillock.so /etc/pam.d/system-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so + + # grep pam_faillock.so /etc/pam.d/system-auth + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. @@ -785,32 +781,35 @@ If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_ If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding. -Note: The maximum configurable value for "unlock_time" is "604800". -If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>OL07-00-010330The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. +Note: The maximum configurable value for "unlock_time" is "604800". + +If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>OL07-00-010330The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99121SV-108225CCI-002238Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. +Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99121SV-108225CCI-002238Configure the operating system to automatically lock the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so + +Note: Per requirement OL07-00-010199, Oracle Linux 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system automatically locks the root account, for a minimum of 15 minutes, when three unsuccessful logon attempts in 15 minutes are made. -Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the operating system automatically locks the root account for a minimum of 15 minutes when three unsuccessful logon attempts in 15 minutes are made. + # grep pam_faillock.so /etc/pam.d/password-auth -# grep pam_faillock.so /etc/pam.d/password-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. -# grep pam_faillock.so /etc/pam.d/system-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so + # grep pam_faillock.so /etc/pam.d/system-auth + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +account required pam_faillock.so If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>OL07-00-010340The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which authorization has not been granted. @@ -845,7 +844,7 @@ Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with # grep -i fail_delay /etc/login.defs FAIL_DELAY 4 -If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010440The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99127SV-108231CCI-000366Configure the operating system not to allow an unattended or automatic logon to the system via a graphical user interface. +If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010440The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99127SV-108231CCI-000366Configure the operating system not to allow an unattended or automatic logon to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -861,7 +860,7 @@ Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" # grep -i automaticloginenable /etc/gdm/custom.conf AutomaticLoginEnable=false -If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010450The Oracle Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99129SV-108233CCI-000366Configure the operating system not to allow an unrestricted account to log on to the system via a graphical user interface. +If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010450The Oracle Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99129SV-108233CCI-000366Configure the operating system not to allow an unrestricted account to log on to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -877,7 +876,7 @@ Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf # grep -i timedloginenable /etc/gdm/custom.conf TimedLoginEnable=false -If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010460The Oracle Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99131SV-108235CCI-000366Configure the operating system not to allow users to override environment variables to the SSH daemon. +If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010460The Oracle Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99131SV-108235CCI-000366Configure the operating system not to allow users to override environment variables to the SSH daemon. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no": @@ -890,7 +889,7 @@ Check for the value of the "PermitUserEnvironment" keyword with the following co # grep -i permituserenvironment /etc/ssh/sshd_config PermitUserEnvironment no -If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010470The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99133SV-108237CCI-000366Configure the operating system not to allow a non-certificate trusted host SSH logon to the system. +If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>OL07-00-010470The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99133SV-108237CCI-000366Configure the operating system not to allow a non-certificate trusted host SSH logon to the system. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no": @@ -1014,7 +1013,7 @@ Verify that the daemon is running: # ps -ef | grep -i mfetpd -If the daemon is not running, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020020The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the daemon is not running, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020020The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99153SV-108257CCI-002165CCI-002235Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. @@ -1052,73 +1051,61 @@ All authorized non-administrative users must be mapped to the "user_u" SELinux u If they are not mapped in this way, this is a finding. If administrator accounts are mapped to the "sysadm_u" SELinux user and are not documented as an operational requirement with the ISSO, this is a finding. -If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>OL07-00-020030The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>OL07-00-020030The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. -Satisfies: SRG-OS-000363-GPOS-00150 and SRG-OS-000446-GPOS-00200</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99155SV-108259CCI-001744CCI-002699Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: +Satisfies: SRG-OS-000363-GPOS-00150 and SRG-OS-000446-GPOS-00200</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99155SV-108259CCI-001744CCI-002699Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: -# more /etc/cron.daily/aide -#!/bin/bash + # more /etc/cron.daily/aide + #!/bin/bash -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system routinely checks the baseline configuration for unauthorized changes. + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system routinely checks the baseline configuration for unauthorized changes. Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week. -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the SA how file integrity checks are performed on the system. - Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence. Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: -# ls -al /etc/cron.* | grep aide --rwxr-xr-x 1 root root 29 Nov 22 2015 aide + # ls -al /etc/cron.* | grep aide + -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide -# grep aide /etc/crontab /var/spool/cron/root -/etc/crontab: 30 04 * * * root /usr/sbin/aide --check -/var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check + # grep aide /etc/crontab /var/spool/cron/root + /etc/crontab: 30 04 * * * root /usr/sbin/aide --check + /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check -If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>OL07-00-020040The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>OL07-00-020040The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108261V-99157CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108261V-99157CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. -# more /etc/cron.daily/aide + # more /etc/cron.daily/aide -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert. -Check to see if AIDE is installed on the system with the following command: - -# yum list installed aide - -If AIDE is not installed, ask the SA how file integrity checks are performed on the system. - Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: + + # ls -al /etc/cron.* | grep aide + -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide -# ls -al /etc/cron.* | grep aide --rwxr-xr-x 1 root root 32 Jul 1 2011 aide - -# grep aide /etc/crontab /var/spool/cron/root -/etc/crontab: 30 04 * * * root /usr/sbin/aide --check -/var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check + # grep aide /etc/crontab /var/spool/cron/root + /etc/crontab: 30 04 * * * root /usr/sbin/aide --check + /var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example: -# more /etc/cron.daily/aide -#!/bin/bash + # more /etc/cron.daily/aide + #!/bin/bash -/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil + /usr/sbin/aide --check | /var/spool/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil -If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL07-00-020050The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL07-00-020050The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -1133,7 +1120,7 @@ gpgcheck=1 If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. -If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL07-00-020060The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL07-00-020060The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. @@ -1430,23 +1417,23 @@ Check the home directory assignment for all local interactive users on the syste -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj -If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-020650The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108305V-99201CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: +If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-020650The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108305V-99201CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. -# chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. + # chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. Check the home directory assignment for all local interactive users on the system with the following command: -# ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) + # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) --rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj + -rwxr-x--- 1 smithj users 13 Apr 1 04:20 /home/smithj Check the user's primary group with the following command: -# grep $(grep smithj /etc/passwd | awk -F: ‘{print $4}’) /etc/group + # grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group -users:x:250:smithj,jonesj,jacksons + users:x:250:smithj,marinc,chongt If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-020660The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108307V-99203CCI-000366Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on OL 7 with the "chown" command: @@ -1779,7 +1766,7 @@ Check that a file system/partition has been created for "/var" with the followin # grep /var /etc/fstab UUID=c274f65f /var ext4 noatime,nobarrier 1 2 -If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>OL07-00-021330The Oracle Linux operating system must use a separate file system for the system audit data path large enough to hold at least one week of audit data.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99251SV-108355CCI-001849Migrate the system audit data path onto an appropriately sized separate file system to store at least one week of audit records.Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system. +If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>OL07-00-021330The Oracle Linux operating system must use a separate file system for the system audit data path large enough to hold at least one week of audit data.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99251SV-108355CCI-001849Migrate the system audit data path onto an appropriately sized separate file system to store at least one week of audit records.Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system. # grep /var/log/audit /etc/fstab @@ -1813,7 +1800,7 @@ If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in # grep -i /tmp /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0 -If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL07-00-021350The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards approved by the federal government to ensure they have been tested and validated. +If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL07-00-021350The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards approved by the federal government to ensure they have been tested and validated. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99255SV-108359CCI-000068CCI-001199CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. @@ -1892,82 +1879,59 @@ Verify the file /etc/system-fips exists. # ls -l /etc/system-fips -If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-021600The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99257SV-108361CCI-000366Configure the file integrity tool to check file and directory ACLs. - -If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. - -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: +If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-021600The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99257SV-108361CCI-000366Configure the file integrity tool to check file and directory ACLs. -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. +If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: -# find / -name aide.conf + # find / -name aide.conf Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "acl" rule is below: -All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin - -If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-021610The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99259SV-108363CCI-000366Configure the file integrity tool to check file and directory extended attributes. - -If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. + All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin -Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: +If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-021610The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99259SV-108363CCI-000366Configure the file integrity tool to check file and directory extended attributes. -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. +If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: - -# find / -name aide.conf + # find / -name aide.conf Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "xattrs" rule follows: -All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin + All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin -If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-021620The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. +If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-021620The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. The Oracle Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99261SV-108365CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. -If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. - -Check to see if AIDE is installed on the system with the following command: -# yum list installed aide - -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -If there is no application installed to perform file integrity checks, this is a finding. +If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: -# find / -name aide.conf + + # find / -name aide.conf Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications. An example rule that includes the "sha512" rule follows: - -All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux -/bin All # apply the custom rule to the files in bin -/sbin All # apply the same custom rule to the files in sbin + + All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-021700The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108367V-99263CCI-001813Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. @@ -2020,47 +1984,47 @@ Check to see if auditing is active by issuing the following command: # systemctl is-active auditd.service active -If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>OL07-00-030010The Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. +If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>OL07-00-030010The Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. -Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108373V-99269CCI-000139Configure the operating system to shut down in the event of an audit processing failure. +Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108373V-99269CCI-000139Configure the operating system to shut down in the event of an audit processing failure. Add or correct the option to shut down the operating system with the following command: -# auditctl -f 2 + # auditctl -f 2 Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: --f 2 + -f 2 If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: -# auditctl -f 1 + # auditctl -f 1 Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: --f 1 + -f 1 Kernel log monitoring must also be configured to properly alert designated staff. -The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. +The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. Check to see what level "auditctl" is set to with following command: -# auditctl -s | grep -i "fail" + # auditctl -s | grep -i "fail" -failure 2 + failure 2 -Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured only to send information to the kernel log regarding the failure. +Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system will not shut down and instead will record the audit failure in the kernel log. If the system is configured per requirement OL07-00-031000, the kernel log will be sent to a log aggregation server and generate an alert. If the "failure" setting is set to any value other than "1" or "2", this is a finding. -If the "failure" setting is not set, this should be upgraded to a CAT I finding. +If the "failure" setting is not set, this must be upgraded to a CAT I finding. -If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030201The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this must be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030201The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2087,7 +2051,7 @@ format = string If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030210The Oracle Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030210The Oracle Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2107,7 +2071,7 @@ overflow_action = syslog If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action the system takes when the internal queue is full. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030211The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030211The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2127,7 +2091,7 @@ name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030300The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030300The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2142,7 +2106,7 @@ remote_server = 10.0.21.1 If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. -If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030310The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030310The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -2159,7 +2123,7 @@ enable_krb5 = yes If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. -If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030320The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. +If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030320The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108387V-99283CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full. Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line: @@ -2173,7 +2137,7 @@ disk_full_action = single If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030321The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>OL07-00-030321The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108389V-99285CCI-001851Configure the action the operating system takes if there is an error sending audit records to a remote system. Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". @@ -2187,7 +2151,7 @@ network_failure_action = syslog If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system. -If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>OL07-00-030330The Oracle Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99287SV-108391CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. +If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>OL07-00-030330The Oracle Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99287SV-108391CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size. space_left = 25% @@ -2204,7 +2168,7 @@ Determine what the threshold is for the system to take action when 75 percent of $ sudo grep -iw space_left /etc/audit/auditd.conf space_left = 25% -If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>OL07-00-030340The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99289SV-108393CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. +If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>OL07-00-030340The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99289SV-108393CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". @@ -2215,7 +2179,7 @@ Check what action the operating system takes when the threshold for the reposito # grep -i space_left_action /etc/audit/auditd.conf space_left_action = email -If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>OL07-00-030350The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99291SV-108395CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. +If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>OL07-00-030350The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99291SV-108395CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. @@ -3058,7 +3022,7 @@ The virus scanning software should be configured to perform scans dynamically on If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99413SV-108517CCI-000366Install an antivirus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. -If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>OL07-00-040000The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. +If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>OL07-00-040000The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99415SV-108519CCI-000054Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. @@ -3094,7 +3058,7 @@ rich rules: Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. -If there are additional ports, protocols, or services that are not in the PPSM CLSA, or ports, protocols, or services prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL07-00-040110The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. +If there are additional ports, protocols, or services that are not in the PPSM CLSA, or ports, protocols, or services prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL07-00-040110The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -3206,7 +3170,7 @@ By using this IS (which includes any device attached to this IS), you consent to If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. -If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040180The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040180The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99425SV-108529CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions. @@ -3238,7 +3202,7 @@ Ensure LDAP is configured to use TLS, by using the following command: # grep -i "start_tls" /etc/sssd/sssd.conf ldap_id_use_start_tls = true -If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040190The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040190The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99427SV-108531CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. @@ -3272,7 +3236,7 @@ ldap_tls_reqcert = demand If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding. -If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040200The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040200The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108533V-99429CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. @@ -3307,29 +3271,29 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate. -If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>OL07-00-040201The Oracle Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108535V-99431CCI-002824Configure the operating system implement virtual address space randomization. +If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>OL07-00-040201The Oracle Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108535V-99431CCI-002824Configure the operating system implement virtual address space randomization. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -kernel.randomize_va_space = 2 + kernel.randomize_va_space = 2 Issue the following command to make the changes take effect: -# sysctl --systemVerify the operating system implements virtual address space randomization. + # sysctl --systemVerify the operating system implements virtual address space randomization. -# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/* + # grep -r kernel.randomize_va_space /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + kernel.randomize_va_space = 2 -kernel.randomize_va_space = 2 - -If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "2", this is a finding. +If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "2", this is a finding. Check that the operating system implements virtual address space randomization with the following command: -# /sbin/sysctl -a | grep kernel.randomize_va_space + # /sbin/sysctl -a | grep kernel.randomize_va_space + kernel.randomize_va_space = 2 -kernel.randomize_va_space = 2 +If "kernel.randomize_va_space" does not have a value of "2", this is a finding. -If "kernel.randomize_va_space" does not have a value of "2", this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>OL07-00-040300The Oracle Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>OL07-00-040300The Oracle Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -3470,7 +3434,7 @@ To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the IgnoreUserKnownHosts yes -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>OL07-00-040390The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. +If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>OL07-00-040390The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108555V-99451CCI-000197Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: @@ -3490,7 +3454,7 @@ Check that the SSH daemon is configured to only use the SSHv2 protocol with the Protocol 2 #Protocol 1,2 -If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040400The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. +If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL07-00-040400The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108557V-99453CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -3521,19 +3485,19 @@ The following command will find all SSH public key files on the system: -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub -If any file has a mode more permissive than 0644, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040420The Oracle Linux operating system must be configured so the SSH private host key files have mode 0600 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99457SV-108561CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command: +If any file has a mode more permissive than 0644, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040420The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99457SV-108561CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: -# chmod 0600 /path/to/file/ssh_host*keyVerify the SSH private host key files have mode 0600 or less permissive. + # chmod 0640 /path/to/file/ssh_host*keyVerify the SSH private host key files have mode 0640 or less permissive. The following command will find all SSH private key files on the system and list their modes: -# find / -name '*ssh_host*key' | xargs ls -lL + # find / -name '*ssh_host*key' | xargs ls -lL --rw------- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key --rw------- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key --rw------- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key + -rw-r----- 1 root ssh_keys 112 Apr 1 11:59 ssh_host_dsa_key + -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key + -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key -If any file has a mode more permissive than 0600, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-040430The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99459SV-108563CCI-001813Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": +If any file has a mode more permissive than 0640, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>OL07-00-040430The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99459SV-108563CCI-001813Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": GSSAPIAuthentication no @@ -3585,18 +3549,20 @@ Check that the SSH daemon performs privilege separation with the following comma UsePrivilegeSeparation sandbox -If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040470The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99467SV-108571CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": +If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040470The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99467SV-108571CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": + + Compression no -Compression no +The SSH service must be restarted for changes to take effect.Note: For Oracle Linux 7.4 and above, this requirement is not applicable. -The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs compression after a user successfully authenticates. +Verify the SSH daemon performs compression after a user successfully authenticates. Check that the SSH daemon performs compression after a user successfully authenticates with the following command: -# grep -i compression /etc/ssh/sshd_config -Compression delayed + # grep -i compression /etc/ssh/sshd_config + Compression delayed -If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>OL07-00-040500The Oracle Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. +If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>OL07-00-040500The Oracle Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. @@ -3651,30 +3617,31 @@ If the "chronyd" process is found, then check the "chrony.conf" file for the "ma server 0.rhel.pool.ntp.org iburst maxpoll 16 -If the option is not set or the line is commented out, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>OL07-00-040510The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. +If the option is not set or the line is commented out, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>OL07-00-040510The Oracle Linux operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. -This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108577V-99473CCI-002385Set the system to implement rate-limiting measures by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108577V-99473CCI-002385Set the system to implement rate-limiting measures by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.tcp_invalid_ratelimit = 500 + net.ipv4.tcp_invalid_ratelimit = 500 Issue the following command to make the changes take effect: -# sysctl --systemVerify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. + # sysctl --systemVerify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. -# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.tcp_invalid_ratelimit /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + /etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = 500 -/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = 500 - -If "net.ipv4.tcp_invalid_ratelimit" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out this is a finding. +If "net.ipv4.tcp_invalid_ratelimit" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out this is a finding. Check that the operating system implements the value of the "tcp_invalid_ratelimit" variable with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.tcp_invalid_ratelimit' -net.ipv4.tcp_invalid_ratelimit = 500 + # /sbin/sysctl -a | grep net.ipv4.tcp_invalid_ratelimit + net.ipv4.tcp_invalid_ratelimit = 500 + + If "net.ipv4.tcp_invalid_ratelimit" has a value of "0", this is a finding. -If "net.ipv4.tcp_invalid_ratelimit" has a value of "0", this is a finding. +If "net.ipv4.tcp_invalid_ratelimit" has a value greater than "1000" and is not documented with the Information System Security Officer (ISSO), this is a finding. -If "net.ipv4.tcp_invalid_ratelimit" has a value greater than "1000" and is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040520The Oracle Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040520The Oracle Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108579V-99475CCI-000366Ensure the operating system's application firewall is enabled. @@ -3777,172 +3744,186 @@ Verify the "/etc/resolv.conf" file is immutable with the following command: ----i----------- /etc/resolv.conf -If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040610The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108589V-99485CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040610The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108589V-99485CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl -systemVerify the system does not accept IPv4 source-routed packets. - -# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* + # sysctl -systemVerify the system does not accept IPv4 source-routed packets. -net.ipv4.conf.all.accept_source_route = 0 + # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.all.accept_source_route = 0 -If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route -net.ipv4.conf.all.accept_source_route = 0 + # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route + net.ipv4.conf.all.accept_source_route = 0 -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040611The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with invalid source addresses received on the interface. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99487SV-108591CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the returned line does not have a value of "0", this is a finding. -net.ipv4.conf.all.rp_filter = 1 +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040611The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with invalid source addresses received on the interface. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99487SV-108591CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + + net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system uses a reverse-path filter for IPv4: + # sysctl --systemVerify the system uses a reverse-path filter for IPv4: -# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/* -net.ipv4.conf.all.rp_filter = 1 + # grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.all.rp_filter = 1 -If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. +If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter -net.ipv4.conf.all.rp_filter = 1 + # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter + net.ipv4.conf.all.rp_filter = 1 + +If the returned line does not have a value of "1", this is a finding. -If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040612The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with invalid source addresses received on the interface. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99489SV-108593CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040612The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with invalid source addresses received on the interface. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99489SV-108593CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system uses a reverse-path filter for IPv4: + # sysctl --systemVerify the system uses a reverse-path filter for IPv4: -# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/* -net.ipv4.conf.default.rp_filter = 1 + # grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.default.rp_filter = 1 -If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. +If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter -net.ipv4.conf.default.rp_filter = 1 + # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter + net.ipv4.conf.default.rp_filter = 1 -If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040620The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108595V-99491CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the returned line does not have a value of "1", this is a finding. -net.ipv4.conf.default.accept_source_route = 0 +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040620The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108595V-99491CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + + net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. + # sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. -# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* -net.ipv4.conf.default.accept_source_route = 0 + # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.conf.default.accept_source_route = 0 -If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.default.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route -net.ipv4.conf.default.accept_source_route = 0 + # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route + net.ipv4.conf.default.accept_source_route = 0 + +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040630The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108597V-99493CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040630The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108597V-99493CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.icmp_echo_ignore_broadcasts = 1 + net.ipv4.icmp_echo_ignore_broadcasts = 1 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. + # sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. -# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. +If "net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding. Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command: -# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts -net.ipv4.icmp_echo_ignore_broadcasts = 1 + # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts + net.ipv4.icmp_echo_ignore_broadcasts = 1 -If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040640The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99495SV-108599CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the returned line does not have a value of "1", this is a finding. -net.ipv4.conf.default.accept_redirects = 0 +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040640The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99495SV-108599CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): + + net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages. + # sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages. -# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.default.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the value of the "accept_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects' -net.ipv4.conf.default.accept_redirects = 0 + # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_redirects + net.ipv4.conf.default.accept_redirects = 0 + +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040641The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99497SV-108601CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040641The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99497SV-108601CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system ignores IPv4 ICMP redirect messages. + # sysctl --systemVerify the system ignores IPv4 ICMP redirect messages. -# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.conf.all.accept_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system implements the "accept_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects' + # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_redirects + net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.all.accept_redirects = 0 +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040650The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99499SV-108603CCI-000366Configure the system not to allow interfaces to perform IPv4 ICMP redirects by default. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040650The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99499SV-108603CCI-000366Configure the system not to allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.default.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default. + # sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default. -# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. +If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. Check that the operating system implements the "default send_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects' + # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects + net.ipv4.conf.default.send_redirects = 0 -net.ipv4.conf.default.send_redirects = 0 +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040660The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99501SV-108605CCI-000366Configure the system not to allow interfaces to perform IPv4 ICMP redirects. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040660The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99501SV-108605CCI-000366Configure the system not to allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.all.send_redirects = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system does not send IPv4 ICMP redirect messages. + # sysctl --systemVerify the system does not send IPv4 ICMP redirect messages. -# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null -If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. +If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. Check that the operating system implements the "all send_redirects" variables with the following command: -# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects' + # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects + net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.all.send_redirects = 0 +If the returned line does not have a value of "0", this is a finding. -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040670Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040670Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to authorized personnel only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99503SV-108607CCI-000366Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. @@ -4040,26 +4021,27 @@ $ rpm -qa | grep xorg | grep server Ask the System Administrator if use of a graphical user interface is an operational requirement. -If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040740The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99517SV-108621CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040740The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99517SV-108621CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv4.ip_forward = 0 + net.ipv4.ip_forward = 0 Issue the following command to make the changes take effect: -# sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router. + # sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router. -# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv4.ip_forward /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv4.ip_forward = 0 -net.ipv4.ip_forward = 0 - -If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. +If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "0", this is a finding. Check that the operating system does not implement IP forwarding using the following command: -# /sbin/sysctl -a | grep net.ipv4.ip_forward -net.ipv4.ip_forward = 0 + # /sbin/sysctl -a | grep net.ipv4.ip_forward + net.ipv4.ip_forward = 0 + +If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding. -If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040750The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99519SV-108623CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040750The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089V-99519SV-108623CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts. @@ -4143,28 +4125,29 @@ If the "IPsec" service is active, check to see if any tunnels are configured in If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. -If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040830The Oracle Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108631V-99527CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): +If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-040830The Oracle Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108631V-99527CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): -net.ipv6.conf.all.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: -# sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable. + # sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable. Verify the system does not accept IPv6 source-routed packets. -# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* + # grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + net.ipv6.conf.all.accept_source_route = 0 -net.ipv6.conf.all.accept_source_route = 0 - -If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. +If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out or does not have a value of "0", this is a finding. Check that the operating system implements the accept source route variable with the following command: -# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route -net.ipv6.conf.all.accept_source_route = 0 + # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route + net.ipv6.conf.all.accept_source_route = 0 + +If the returned lines do not have a value of "0", this is a finding. -If the returned lines do not have a value of "0", this is a finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>OL07-00-041001The Oracle Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If conflicting results are returned, this is a finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>OL07-00-041001The Oracle Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. @@ -4229,7 +4212,7 @@ cert_policy = ca, ocsp_on, signature; There should be at least three lines returned. -If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>OL07-00-041010The Oracle Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP, and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack, or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108639V-99535CCI-002421Configure the system to disable all wireless network interfaces with the following command: +If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>OL07-00-041010The Oracle Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP, and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack, or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089SV-108639V-99535CCI-002421Configure the system to disable all wireless network interfaces with the following command: #nmcli radio wifi offVerify that there are no wireless interfaces configured on the system. @@ -4423,21 +4406,21 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-010342The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: -Defaults !targetpw -Defaults !rootpw -Defaults !runaspw +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL07-00-010342The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: + Defaults !targetpw + Defaults !rootpw + Defaults !runaspw Remove any configurations that conflict with the above from the following locations: -/etc/sudoers -/etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. + /etc/sudoers + /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. -$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' +$ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' -/etc/sudoers:Defaults !targetpw -/etc/sudoers:Defaults !rootpw -/etc/sudoers:Defaults !runaspw + /etc/sudoers:Defaults !targetpw + /etc/sudoers:Defaults !rootpw + /etc/sudoers:Defaults !runaspw If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. @@ -4501,7 +4484,7 @@ $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers -If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020021The Oracle Linux operating system must must confine SELinux users to roles that conform to least privilege.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020021The Oracle Linux operating system must must confine SELinux users to roles that conform to least privilege.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002165CCI-002235Configure the operating system to confine SELinux users to roles that conform to least privilege. @@ -4528,7 +4511,7 @@ unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r -If the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020022The Oracle Linux operating system must not allow privileged accounts to utilize SSH.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the output differs from the above example, ask the SA to demonstrate how the SELinux User mappings are exercising least privilege. If deviations from the example are not documented with the ISSO and do not demonstrate least privilege, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020022The Oracle Linux operating system must not allow privileged accounts to utilize SSH.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002165CCI-002235Configure the operating system to prevent privileged accounts from utilizing SSH. Use the following command to set the "ssh_sysadm_login" boolean to "off": @@ -4545,7 +4528,7 @@ Check the SELinux ssh_sysadm_login boolean with the following command: $ sudo getsebool ssh_sysadm_login ssh_sysadm_login --> off -If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020023The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. +If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>OL07-00-020023The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the /etc/sudoers.d directory with the following command: @@ -4611,21 +4594,43 @@ Check the configuration of the "/etc/pam.d/sudo" file with the following command $ sudo grep pam_succeed_if /etc/pam.d/sudo -If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>OL07-00-020029The Oracle Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. +If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>OL07-00-020029The Oracle Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. -This requirement applies to the Oracle Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002696Install the AIDE package by running the following command: +This requirement applies to the Oracle Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-002696Install AIDE, initialize it, and perform a manual check. -$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. +Install AIDE: + $ sudo yum install aide -Check that the AIDE package is installed with the following command: +Initialize it: + $ sudo /usr/sbin/aide --init + + AIDE, version 0.15.1 + ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. + +The new database will need to be renamed to be read by AIDE: + $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz -$ sudo rpm -q aide +Perform a manual check: + $ sudo /usr/sbin/aide --check -aide-0.15.1-13.0.1.el7_9.1.x86_64 + AIDE, version 0.15.1 + ### All files match AIDE database. Looks okay! + +Done.Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. + +Check that the AIDE package is installed with the following command: + $ sudo rpm -q aide + + aide-0.15.1-13.el7.x86_64 If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. -If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>OL07-00-010271Oracle Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. +If there is no application installed to perform integrity checks, this is a finding. + +If AIDE is installed, check if it has been initialized with the following command: + $ sudo /usr/sbin/aide --check + +If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>OL07-00-010271Oracle Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. @@ -4640,4 +4645,138 @@ For every existing emergency account, run the following command to obtain its ac $ sudo chage -l system_account_name Verify each of these accounts has an expiration date set within 72 hours. -If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding. \ No newline at end of file +If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL07-00-040712The Oracle Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>The use of FIPS-validated cryptographic algorithms is enforced by enabling kernel FIPS mode. In the event that kernel FIPS mode is disabled, the use of nonvalidated cryptographic algorithms will be permitted systemwide. The SSH server configuration must manually define only FIPS-validated key exchange algorithms to prevent the use of nonvalidated algorithms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": + + KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 + +Restart the "sshd" service for changes to take effect: + + $ sudo systemctl restart sshdVerify that the SSH server is configured to use only FIPS-validated key exchange algorithms: + + $ sudo grep -i kexalgorithms /etc/ssh/sshd_config + KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 + +If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>OL07-00-010090The Oracle Linux operating system must have the screen package installed.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. + +The screen and tmux packages allow for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-000057Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity. + +Install the screen program (if it is not on the system) with the following command: + + # yum install screen + +OR + +Install the tmux program (if it is not on the system) with the following command: + + # yum install tmuxVerify the operating system has the screen package installed. + +Check to see if the screen package is installed with the following command: + + # yum list installed screen + screen-4.3.1-3-x86_64.rpm + +If the screen package is not installed, check to see if the tmux package is installed with the following command: + + # yum list installed tmux + tmux-1.8-4.el7.x86_64.rpm + +If either the screen package or the tmux package is not installed, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>OL07-00-010375The Oracle Linux operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-001090Configure the operating system to restrict access to the kernel message buffer. + +Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: + + kernel.dmesg_restrict = 1 + +Remove any configurations that conflict with the above from the following locations: + /run/sysctl.d/ + /etc/sysctl.d/ + /usr/local/lib/sysctl.d/ + /usr/lib/sysctl.d/ + /lib/sysctl.d/ + /etc/sysctl.conf + +Reload settings from all system configuration files with the following command: + + $ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: + + $ sudo sysctl kernel.dmesg_restrict + kernel.dmesg_restrict = 1 + +If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. + +Check that the configuration files are present to enable this kernel parameter: + + $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null + /etc/sysctl.conf:kernel.dmesg_restrict = 1 + /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 + +If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. + +If conflicting results are returned, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>OL07-00-010199The Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.<VulnDiscussion>When using the authconfig utility to modify authentication configuration settings, the "system-auth" and "password-auth" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 7DISADPMS TargetOracle Linux 74089CCI-000196Create custom configuration files and their corresponding symbolic links: + +Rename the existing configuration files (skip this step if symbolic links are already present): + $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac + $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac + +Create custom system-auth configuration file: + $ sudo vi /etc/pam.d/system-auth-local + +The new file, at minimum, must contain the following lines: + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include system-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include system-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include system-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include system-auth-ac + +Create custom password-auth configuration file: + $ sudo vi /etc/pam.d/password-auth-local + +The new file, at minimum, must contain the following lines: + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include password-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include password-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include password-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include password-auth-ac + +Create new or move existing symbolic links to the new custom configuration files: + $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth + $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth + +Once finished, the file structure should be the following: + $ sudo ls -1 /etc/pam.d/{password,system}-auth* + + /etc/pam.d/password-auth + /etc/pam.d/password-auth-ac + /etc/pam.d/password-auth-local + /etc/pam.d/system-auth + /etc/pam.d/system-auth-ac + /etc/pam.d/system-auth-local + +Done. + +Note: With this solution in place any custom settings to "system-auth" and "password-auth" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to "system-auth-ac" and "password-auth-ac" and continue to function as expected.Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": + $ sudo ls -l /etc/pam.d/{password,system}-auth + + lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local + lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local + +If system-auth and password-auth files are not symbolic links, this is a finding. + +If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding. \ No newline at end of file From 9065a9ef82313bc1aa2d684bc70312da1bd54ded Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Thu, 19 Jan 2023 11:23:46 -0600 Subject: [PATCH 2/5] Add sysctl_kernel_dmesg_restric rule to OL7 stig Signed-off-by: Federico Ramirez --- .../restrictions/sysctl_kernel_dmesg_restrict/rule.yml | 1 + products/ol7/profiles/stig.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index 8dab1d04879..2b0b2bc87c7 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -27,6 +27,7 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SI-11(a),SI-11(b) srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069 + stigid@ol7: OL07-00-010375 stigid@ol8: OL08-00-010375 stigid@rhel7: RHEL-07-010375 stigid@rhel8: RHEL-08-010375 diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 3e00f3aae68..2dcce53f501 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -333,3 +333,4 @@ selections: - auditd_audispd_remote_daemon_type - account_emergency_expire_date - package_screen_installed + - sysctl_kernel_dmesg_restric From d8909cdaf80217c64f78099d98d53f8ee870cf1e Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Thu, 19 Jan 2023 15:33:04 -0600 Subject: [PATCH 3/5] Update audit failure mode for OL7 Select the printk (1) value for the var_audit_failure_mode var for OL7. Using the panic (2) value results in the system being shut down when there is an audit failure. This meassure is too harsh and will impact the system's availability. Signed-off-by: Federico Ramirez --- products/ol7/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 2dcce53f501..e5d2c283e0e 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -159,7 +159,7 @@ selections: - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_system_shutdown - - var_audit_failure_mode=panic + - var_audit_failure_mode=printk - auditd_audispd_configure_remote_server - auditd_audispd_encrypt_sent_records - auditd_audispd_disk_full_action From a1167ca84180dc13d8252f31b566750bbd9b650b Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Tue, 24 Jan 2023 18:19:51 -0600 Subject: [PATCH 4/5] Introduce CPE for OL7 older than 7.4 Signed-off-by: Federico Ramirez --- shared/applicability/ol7_older_than_7_4.yml | 3 ++ shared/checks/oval/ol7_older_than_7_4.xml | 34 +++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 shared/applicability/ol7_older_than_7_4.yml create mode 100644 shared/checks/oval/ol7_older_than_7_4.xml diff --git a/shared/applicability/ol7_older_than_7_4.yml b/shared/applicability/ol7_older_than_7_4.yml new file mode 100644 index 00000000000..6e56bbae457 --- /dev/null +++ b/shared/applicability/ol7_older_than_7_4.yml @@ -0,0 +1,3 @@ +name: "cpe:/o:oracle:linux:7:older_than_7_4" +title: "OL 7 is older than 7.4" +check_id: ol7_older_than_7_4 diff --git a/shared/checks/oval/ol7_older_than_7_4.xml b/shared/checks/oval/ol7_older_than_7_4.xml new file mode 100644 index 00000000000..20521bbd2a9 --- /dev/null +++ b/shared/checks/oval/ol7_older_than_7_4.xml @@ -0,0 +1,34 @@ + + + + Oracle Linux 7 older than 7.4 + + multi_platform_all + + + The operating system installed on the system is + Oracle Linux 7 older than 7.4 + + + + + + + + + + + + + + + 7.4 + + + oraclelinux-release + + + From af361538a88646ce091cec8b8cdbc46caf7aa6dc Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Tue, 24 Jan 2023 18:21:33 -0600 Subject: [PATCH 5/5] Update sshd_disable_compression applicability Makes the rule sshd_disable_compression not applicable for OL 7.4 and newer. This makes the rule in sync with OL7 DISA STIG v2r10 requirement OL07-00-040470 Signed-off-by: Federico Ramirez --- .../services/ssh/ssh_server/sshd_disable_compression/rule.yml | 2 ++ shared/checks/oval/ol7_older_than_7_4.xml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml index 9352c159713..be3df862166 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml @@ -54,6 +54,8 @@ ocil: |- {{% if product == "rhel7" %}} platform: rhel7_older_than_7_4 +{{% elif product == "ol7" %}} +platform: ol7_older_than_7_4 {{% endif %}} fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}' diff --git a/shared/checks/oval/ol7_older_than_7_4.xml b/shared/checks/oval/ol7_older_than_7_4.xml index 20521bbd2a9..1958f326953 100644 --- a/shared/checks/oval/ol7_older_than_7_4.xml +++ b/shared/checks/oval/ol7_older_than_7_4.xml @@ -25,7 +25,7 @@ - 7.4 + 7.4 oraclelinux-release