diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json index 76ec641d..6d1c49b9 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json @@ -7,8 +7,17 @@ "summary": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.", "version": "1.12.0", "inspec_version": ">= 5.0", + "supports": [ + { + "platform-name": "centos", + "release": "8.*" + }, + { + "platform-name": "redhat", + "release": "8.*" + } + ], "inputs": [], - "supports": [], "controls": [ { "title": "RHEL 8 must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd.", @@ -3197,7 +3206,7 @@ ], "host": null }, - "code": "control 'SV-230311' do\n title 'RHEL 8 must disable the kernel.core_pattern.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables storing core dumps with the following commands:\n\n$ sudo sysctl kernel.core_pattern\n\nkernel.core_pattern = |/bin/false\n\nIf the returned line does not have a value of \"|/bin/false\", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false\n\nIf \"kernel.core_pattern\" is not set to \"|/bin/false\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable storing core dumps.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.core_pattern = |/bin/false\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230311'\n tag rid: 'SV-230311r858769_rule'\n tag stig_id: 'RHEL-08-010671'\n tag fix_id: 'F-32955r858768_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n caveat = input('kernel_dump_permitted')\n\n if caveat\n describe 'Manual Review' do\n skip 'Inputs indicate this capability is an operational requirement of this system; manually review system documentation and confirm this with the ISSO'\n end\n else\n\n kernel_setting = 'kernel.core_pattern'\n kernel_expected_value = '|/bin/false'\n\n describe kernel_parameter(kernel_setting) do\n its('value') { should eq kernel_expected_value }\n end\n\n k_conf_files = input('kernel_config_files')\n\n # make sure the setting is set somewhere\n k_conf = command(\"grep -r #{kernel_setting} #{k_conf_files.join(' ')}\").stdout.split(\"\\n\")\n\n # make sure it is set correctly\n failing_k_conf = k_conf.reject { |k| k.match(/#{kernel_parameter}\\s*=\\s*#{kernel_expected_value}/) }\n\n describe 'Kernel config files' do\n it \"should set '#{kernel_setting}' on startup\" do\n expect(k_conf).to_not be_empty, \"Setting not found in any of the following config files:\\n\\t- #{input(k_conf_files.join(\"\\n\\t- \"))}\"\n expect(failing_k_conf).to be_empty, \"Incorrect or conflicting settings found:\\n\\t- #{failing_k_conf.join(\"\\n\\t- \")}\" if k_conf.nil?\n end\n end\n end\nend\n", + "code": "control 'SV-230311' do\n title 'RHEL 8 must disable the kernel.core_pattern.'\n desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf'\n desc 'check', 'Verify RHEL 8 disables storing core dumps with the following commands:\n\n$ sudo sysctl kernel.core_pattern\n\nkernel.core_pattern = |/bin/false\n\nIf the returned line does not have a value of \"|/bin/false\", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf\n\n/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false\n\nIf \"kernel.core_pattern\" is not set to \"|/bin/false\", is missing or commented out, this is a finding.\n\nIf conflicting results are returned, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to disable storing core dumps.\n\nAdd or edit the following line in a system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nkernel.core_pattern = |/bin/false\n\nRemove any configurations that conflict with the above from the following locations:\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n/etc/sysctl.d/*.conf\n\nThe system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sudo sysctl --system'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000480-GPOS-00227'\n tag gid: 'V-230311'\n tag rid: 'SV-230311r858769_rule'\n tag stig_id: 'RHEL-08-010671'\n tag fix_id: 'F-32955r858768_fix'\n tag cci: ['CCI-000366']\n tag legacy: []\n tag nist: ['CM-6 b']\n tag 'host'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n caveat = input('kernel_dump_permitted')\n\n if caveat\n describe 'Manual Review' do\n skip 'Inputs indicate this capability is an operational requirement of this system; manually review system documentation and confirm this with the ISSO'\n end\n else\n\n kernel_setting = 'kernel.core_pattern'\n kernel_expected_value = '|/bin/false'\n\n describe kernel_parameter(kernel_setting) do\n its('value') { should eq kernel_expected_value }\n end\n\n k_conf_files = input('kernel_config_files')\n\n # make sure the setting is set somewhere\n k_conf = command(\"grep -r #{kernel_setting} #{k_conf_files.join(' ')}\").stdout.split(\"\\n\")\n\n # make sure it is set correctly\n failing_k_conf = k_conf.reject { |k| k.match(/#{kernel_parameter}\\s*=\\s*#{kernel_expected_value}/) }\n\n describe 'Kernel config files' do\n it \"should set '#{kernel_setting}' on startup\" do\n expect(k_conf).to_not be_empty, \"Setting not found in any of the following config files:\\n\\t- #{k_conf_files.join(\"\\n\\t- \")}\"\n expect(failing_k_conf).to be_empty, \"Incorrect or conflicting settings found:\\n\\t- #{failing_k_conf.join(\"\\n\\t- \")}\" if k_conf.nil?\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230311.rb", "line": 1 @@ -9725,7 +9734,7 @@ ], "host": null }, - "code": "control 'SV-230464' do\n title 'Successful/unsuccessful uses of the chacl command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230464'\n tag rid: 'SV-230464r627750_rule'\n tag stig_id: 'RHEL-08-030570'\n tag fix_id: 'F-33108r568139_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chacl'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include('perm_mod')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", + "code": "control 'SV-230464' do\n title 'Successful/unsuccessful uses of the chacl command in RHEL 8 must\ngenerate an audit record.'\n desc 'Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify those\nresponsible for one.\n\n Audit records can be generated from various components within the\ninformation system (e.g., module or policy filter). The \"chacl\" command is\nused to change the access control list of a file or directory.\n\n When a user logs on, the AUID is set to the UID of the account that is\nbeing authenticated. Daemons are not user sessions and have the loginuid set to\n\"-1\". The AUID representation is an unsigned 32-bit integer, which equals\n\"4294967295\". The audit system interprets \"-1\", \"4294967295\", and\n\"unset\" in the same way.'\n desc 'check', 'Verify RHEL 8 generates an audit record when successful/unsuccessful\nattempts to use the \"chacl\" command by performing the following command to\ncheck the file system rules in \"/etc/audit/audit.rules\":\n\n $ sudo grep -w chacl /etc/audit/audit.rules\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n If the command does not return a line, or the line is commented out, this\nis a finding.'\n desc 'fix', 'Configure the audit system to generate an audit event for any\nsuccessful/unsuccessful use of the \"chacl\" command by adding or updating the\nfollowing rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F\nauid!=unset -k perm_mod\n\n The audit daemon must be restarted for the changes to take effect.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000062-GPOS-00031'\n tag satisfies: ['SRG-OS-000062-GPOS-00031', 'SRG-OS-000037-GPOS-00015', 'SRG-OS-000042-GPOS-00020', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000392-GPOS-00172', 'SRG-OS-000462-GPOS-00206', 'SRG-OS-000471-GPOS-00215', 'SRG-OS-000466-GPOS-00210']\n tag gid: 'V-230464'\n tag rid: 'SV-230464r627750_rule'\n tag stig_id: 'RHEL-08-030570'\n tag fix_id: 'F-33108r568139_fix'\n tag cci: ['CCI-000169']\n tag nist: ['AU-12 a']\n tag 'host'\n\n audit_command = '/usr/bin/chacl'\n\n only_if('This control is Not Applicable to containers', impact: 0.0) {\n !virtualization.system.eql?('docker')\n }\n\n describe 'Command' do\n it \"#{audit_command} is audited properly\" do\n audit_rule = auditd.file(audit_command)\n expect(audit_rule).to exist\n expect(audit_rule.action.uniq).to cmp 'always'\n expect(audit_rule.list.uniq).to cmp 'exit'\n expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1')\n expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command])\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230464.rb", "line": 1 @@ -15760,7 +15769,7 @@ "id": "controls/SV-230359.rb" } ], - "sha256": "6f06e69505bc54ef5caac3d60c6fbe89c9b7cde9f28718f15a264f53f702e7ee", + "sha256": "b2eca6823c8afcb408db39fbee1a649441f374593a49b50d7bbf46ddaa7e3751", "status_message": "", "status": "loaded", "generator": {