diff --git a/defaults/main.yml b/defaults/main.yml
index 08182fdd..c66fdbe0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -363,3 +363,7 @@ security_disallow_ip_forwarding: no # V-72309
security_rhel7_disable_usb_storage: yes # V-71983
# Disable kdump.
security_disable_kdump: yes # V-72057
+# Disable Datagram Congestion Control Protocol (DCCP).
+security_rhel7_disable_dccp: yes # V-77821
+# Enable Address Space Layout Randomization (ASLR).
+security_enable_aslr: yes # V-77825
diff --git a/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml b/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml
similarity index 96%
rename from doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml
rename to doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml
index 8f904478..ba758418 100644
--- a/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml
+++ b/doc/metadata/U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml
@@ -1,7 +1,7 @@
- accepted
+ acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
@@ -9,7 +9,7 @@
DISASTIG.DOD.MIL
- Release: 2 Benchmark Date: 28 Jul 2017
+ Release: 3 Benchmark Date: 27 Oct 20171I - Mission Critical Classified
@@ -248,6 +248,10 @@
+
+
+
+
I - Mission Critical Public
@@ -486,6 +490,10 @@
+
+
+
+
I - Mission Critical Sensitive
@@ -724,6 +732,10 @@
+
+
+
+
II - Mission Support Classified
@@ -962,6 +974,10 @@
+
+
+
+
II - Mission Support Public
@@ -1200,6 +1216,10 @@
+
+
+
+
II - Mission Support Sensitive
@@ -1438,6 +1458,10 @@
+
+
+
+
III - Administrative Classified
@@ -1676,6 +1700,10 @@
+
+
+
+
III - Administrative Public
@@ -1914,6 +1942,10 @@
+
+
+
+
III - Administrative Sensitive
@@ -2152,6 +2184,10 @@
+
+
+
+
SRG-OS-000257-GPOS-00098
@@ -2308,7 +2344,7 @@ If "banner-message-enable" is set to "false" or is missing, this is a finding.
SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>
-
+ RHEL-07-010040The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
@@ -2331,10 +2367,6 @@ By using this IS (which includes any device attached to this IS), you consent to
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
-
-"I've read & consent to terms in IS user agreem't."
-
Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 7
@@ -2344,7 +2376,7 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPO
2777CCI-000048
- Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
+ Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
Note: If the system does not have GNOME installed, this requirement is Not Applicable.
@@ -2355,21 +2387,17 @@ Create a database to contain the system-wide graphical user logon settings (if i
Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
[org/gnome/login-screen]
-banner-message-text=’You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+banner-message-enable=true
--The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
--At any time, the USG may inspect and seize data stored on this IS.
+Note: The "\n " characters are for formatting only. They will not be displayed on the GUI.
--Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-
--This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-
--Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.’
-
-
+Run the following command to update the database:
+# dconf update
+
+ Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
@@ -2379,19 +2407,9 @@ Check that the operating system displays the exact approved Standard Mandatory D
# grep banner-message-text /etc/dconf/db/local.d/*
banner-message-text=
-‘You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
-By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-
--The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-
--At any time, the USG may inspect and seize data stored on this IS.
-
--Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-
--This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-
--Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.’
+Note: The "\n " characters are for formatting only. They will not be displayed on the GUI.
If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.
@@ -2486,7 +2504,7 @@ If the text in the "/etc/issue" file does not match the Standard Mandatory DoD N
SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>
-
+ RHEL-07-010060The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
@@ -2504,7 +2522,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion
2777CCI-000056
- Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
+ Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
@@ -2515,19 +2533,12 @@ Edit "org/gnome/desktop/screensaver" and add or update the following lines:
# Set this to true to lock the screen when the screensaver activates
lock-enabled=true
-Override the user's setting and prevent the user from changing it by editing “/etc/dconf/db/local.d/locks/screensaver” and adding or updating the following lines:
-
-# Lock desktop screensaver settings
-/org/gnome/desktop/session/idle-delay
-/org/gnome/desktop/screensaver/lock-enabled
-/org/gnome/desktop/screensaver/lock-delay
-
Update the system databases:
# dconf update
Users must log out and back in again before the system-wide settings take effect.
-
+ Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.
@@ -2546,7 +2557,7 @@ If the "lock-enabled" setting is missing or is not set to "true", this is a find
SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>
-
+ RHEL-07-010070The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
@@ -2560,32 +2571,26 @@ The session lock is implemented at the point where session activity can be deter
2777CCI-000057
- Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
+ Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
# touch /etc/dconf/db/local.d/00-screensaver
-Edit "/org/gnome/desktop/session" and add or update the following lines:
+Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:
+[org/gnome/desktop/session]
# Set the lock time out to 900 seconds before the session is considered idle
idle-delay=uint32 900
You must include the "uint32" along with the integer key values as shown.
-Override the user's setting and prevent the user from changing it by editing "/etc/dconf/db/local.d/locks/screensaver" and adding or updating the following lines:
-
-# Lock desktop screensaver settings
-/org/gnome/desktop/session/idle-delay
-/org/gnome/desktop/screensaver/lock-enabled
-/org/gnome/desktop/screensaver/lock-delay
-
Update the system databases:
# dconf update
Users must log out and back in again before the system-wide settings take effect.
-
+ Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
@@ -2696,7 +2701,7 @@ If is not installed, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>
-
+ RHEL-07-010100The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
@@ -2722,13 +2727,13 @@ Add the setting to enable screensaver locking after 15 minutes of inactivity:
idle-activation-enabled=true
-
+ Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
If it is installed, GNOME must be configured to enforce a session lock after a 15-minute delay. Check for the session lock settings with the following commands:
-# grep -i idle_activation_enabled /etc/dconf/db/local.d/*
+# grep -i idle-activation-enabled /etc/dconf/db/local.d/*
[org/gnome/desktop/screensaver] idle-activation-enabled=true
If "idle-activation-enabled" is not set to "true", this is a finding.
@@ -2819,7 +2824,7 @@ If the value of "ucredit" is not set to a negative value, this is a finding.
SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>
-
+ RHEL-07-010130When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
@@ -2833,12 +2838,13 @@ Password complexity is one factor of several that determines how long it takes t
2777CCI-000193
- Configure the operating system to require at least one lower-case character when passwords are changed or new passwords are established.
+ Configure the system to require at least one lower-case character when creating or changing a password.
-Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
+Add or modify the following line
+in "/etc/security/pwquality.conf":
lcredit = -1
-
+ Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
@@ -3001,9 +3007,9 @@ If the value of "minclass" is set to less than "4", this is a finding.
SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>
-
+ RHEL-07-010180
- When passwords are changed the number of repeating consecutive characters must not be more than four characters.
+ When passwords are changed the number of repeating consecutive characters must not be more than three characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3015,22 +3021,22 @@ Password complexity is one factor of several that determines how long it takes t
2777CCI-000195
- Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
+ Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
-maxrepeat = 2
-
-
+maxrepeat = 3
+
+ The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password.
Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
# grep maxrepeat /etc/security/pwquality.conf
-maxrepeat = 2
+maxrepeat = 3
-If the value of "maxrepeat" is set to more than "2", this is a finding.
+If the value of "maxrepeat" is set to more than "3", this is a finding.
@@ -3073,7 +3079,7 @@ If the value of "maxclassrepeat" is set to more than "4", this is a finding.
SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>
-
+ RHEL-07-010200The PAM system service must be configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3085,14 +3091,12 @@ If the value of "maxclassrepeat" is set to more than "4", this is a finding.2777
CCI-000196
- Configure the operating system to store only SHA512 encrypted representations of passwords.
+ Configure the operating system to store only SHA512 encrypted representations of passwords.
Add the following line in "/etc/pam.d/system-auth-ac":
-password sufficient pam_unix.so sha512
-
-and run the "authconfig" command.
-
+password sufficient pam_unix.so sha512
+ Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
@@ -3304,7 +3308,7 @@ If any results are returned that are not associated with a system account, this
SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>
-
+ RHEL-07-010270Passwords must be prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3316,14 +3320,12 @@ If any results are returned that are not associated with a system account, this
2777CCI-000200
- Configure the operating system to prohibit password reuse for a minimum of five generations.
+ Configure the operating system to prohibit password reuse for a minimum of five generations.
Add the following line in "/etc/pam.d/system-auth-ac" (or modify the line to have the required value):
-password sufficient pam_unix.so use_authtok sha512 shadow remember=5
-
-and run the "authconfig" command.
-
+password sufficient pam_unix.so use_authtok sha512 shadow remember=5
+ Verify the operating system prohibits password reuse for a minimum of five generations.
@@ -3376,7 +3378,7 @@ If the command does not return a "minlen" value of 15 or greater, this is a find
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-010290The system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3388,10 +3390,12 @@ If the command does not return a "minlen" value of 15 or greater, this is a find
2777CCI-000366
- If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
+ If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
-Remove any instances of the "nullok" option in "/etc/pam.d/system-auth-ac" to prevent logons with empty passwords and run the "authconfig" command.
-
+Remove any instances of the "nullok" option in "/etc/pam.d/system-auth-ac" to prevent logons with empty passwords.
+
+Note: Any updates made to "/etc/pam.d/system-auth-ac" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
+ To verify that null passwords cannot be used, run the following command:
@@ -3475,7 +3479,7 @@ If the value is not set to "0", is commented out, or is not defined, this is a f
SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>
-
+ RHEL-07-010320Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
@@ -3489,17 +3493,16 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion
2777CCI-002238
- Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
+ Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
Modify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800
-
-and run the "authconfig" command.
-
-
+account required pam_faillock.so
+
+ Verify the operating system automatically locks an account for the maximum period for which the system can be configured.
@@ -3508,6 +3511,14 @@ Check that the system locks an account for the maximum period after three unsucc
# grep pam_faillock.so /etc/pam.d/password-auth-ac
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800
+account required pam_faillock.so
+
+If the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.
+
+# grep pam_faillock.so /etc/pam.d/system-auth-ac
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800
+account required pam_faillock.so
If the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.
@@ -3516,7 +3527,7 @@ If the "unlock_time" setting is greater than "604800" on both lines with the "pa
SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>
-
+ RHEL-07-010330If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
@@ -3530,23 +3541,32 @@ Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion
2777CCI-002238
- Configure the operating system to automatically lock the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
+ Configure the operating system to automatically lock the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
Modify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800
+account required pam_faillock.so
-and run the "authconfig" command.
-
-
+Note: Any updates made to "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" may be overwritten by the "authconfig" program. The "authconfig" program should not be used.
+
+ Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
# grep pam_faillock.so /etc/pam.d/password-auth-ac
-auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900
-auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800 fail_interval=900
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800 fail_interval=900
+account required pam_faillock.so
+
+If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module name, this is a finding.
+
+# grep pam_faillock.so /etc/pam.d/system-auth-ac
+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800 fail_interval=900
+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800 fail_interval=900
+account required pam_faillock.so
If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module name, this is a finding.
@@ -3555,7 +3575,7 @@ If the "even_deny_root" setting is not defined on both lines with the "pam_faill
SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>
-
+ RHEL-07-010340Users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
@@ -3579,9 +3599,11 @@ Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with
Remove any occurrences of "NOPASSWD" tags in the file.
-
+
- Verify the operating system requires users to supply a password for privilege escalation.
+ If passwords are not being used for authentication, this is Not Applicable.
+
+Verify the operating system requires users to supply a password for privilege escalation.
Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
@@ -3817,7 +3839,7 @@ If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is c
SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>
-
+ RHEL-07-010480Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3851,9 +3873,11 @@ Generate a new "grub.conf" file with the new password with the following command
# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/grub2/grub.cfg
-
+
- Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
+ For systems that use UEFI, this is Not Applicable.
+
+Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
# grep -i ^password_pbkdf2 /boot/grub2/grub.cfg
password_pbkdf2 superusers-account password-hash
@@ -3865,7 +3889,7 @@ If the root password entry does not begin with "password_pbkdf2", this is a find
SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>
-
+ RHEL-07-010490Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -3900,9 +3924,11 @@ Generate a new "grub.conf" file with the new password with the following command
# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg
-
+
- Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
+ For systems that use BIOS, this is Not Applicable.
+
+Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
# grep -i password /boot/efi/EFI/redhat/grub.cfg
password_pbkdf2 superusers-account password-hash
@@ -5310,7 +5336,7 @@ If any local initialization files have a mode more permissive than "0740", this
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-020720All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user’s home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -5322,8 +5348,10 @@ If any local initialization files have a mode more permissive than "0740", this
2777CCI-000366
- Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.
-
+ Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory.
+
+If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.
+ Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users’ home directory.
@@ -5429,7 +5457,7 @@ If there is output from either of these commands, other than already noted, this
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-021000File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -5443,7 +5471,7 @@ If there is output from either of these commands, other than already noted, this
CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.
-
+ Verify file systems that contain user home directories are mounted with the "nosuid" option.
@@ -5451,9 +5479,9 @@ Find the file system(s) that contain the user home directories with the followin
Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
-# cut -d: -f 1,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
-smithj:/home/smithj
-thomasr:/home/thomasr
+# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
+smithj:1001:/home/smithj
+thomasr:1002:/home/thomasr
Check the file systems that are mounted at boot time with the following command:
@@ -5530,7 +5558,7 @@ If a file system found in "/etc/fstab" refers to NFS and it does not have the "n
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-021030All world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.
@@ -5548,7 +5576,7 @@ The only authorized public directories are those temporary directories supplied
# chgrp root <directory>
-
+ Verify all world-writable directories are group-owned by root, sys, bin, or an application group.
@@ -5557,9 +5585,9 @@ Check the system for world-writable directories with the following command:
Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \;
-drwxrwxrwt. 2 root root 40 Aug 26 13:07 /dev/mqueue
-drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm
-drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp
+drwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue
+drwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm
+drwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp
If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
@@ -5831,7 +5859,7 @@ If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-021330The system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -5845,18 +5873,13 @@ If a separate entry for "/var" is not in use, this is a finding.CCI-000366Migrate the system audit data path onto a separate file system.
-
+
- Verify that a separate file system/partition has been created for the system audit data path.
-
-Check that a file system/partition has been created for the system audit data path with the following command:
+ Determine if the "/var/log/audit" path is a separate file system.
# grep /var/log/audit /etc/fstab
-UUID=3645951a /var/log/audit ext4 defaults 1 2
-If a separate entry for /var/log/audit does not exist, ask the System Administrator (SA) if the system audit logs are being written to a different file system/partition on the system, then grep for that file system/partition.
-
-If a separate file system/partition does not exist for the system audit data path, this is a finding.
+If no result is returned, "/var/log/audit" is not on a separate file system, and this is a finding.
@@ -6225,7 +6248,7 @@ If the telnet-server package is installed, this is a finding.SRG-OS-000038-GPOS-00016<GroupDescription></GroupDescription>
-
+ RHEL-07-030000Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events.
@@ -6246,12 +6269,12 @@ Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPO
</reference>
<ident system="http://iase.disa.mil/cci">CCI-000126</ident>
<ident system="http://iase.disa.mil/cci">CCI-000131</ident>
- <fixtext fixref="F-78431r1_fix">Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
+ <fixtext fixref="F-78431r2_fix">Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
Enable the auditd service with the following command:
-# chkconfig auditd on</fixtext>
- <fix id="F-78431r1_fix"/>
+# systemctl start auditd.service</fixtext>
+ <fix id="F-78431r2_fix"/>
<check system="C-72311r1_chk">
<check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml"/>
<check-content>Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.
@@ -6268,7 +6291,7 @@ If the "auditd" status is not active, this is a finding.</check-content>
<Group id="V-72081">
<title>SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>
-
+ RHEL-07-030010The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
@@ -6286,38 +6309,46 @@ Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion
2777CCI-000139
- Configure the operating system to shut down in the event of an audit processing failure.
+ Configure the operating system to shut down in the event of an audit processing failure.
Add or correct the option to shut down the operating system with the following command:
# auditctl -f 2
+Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
+
+-f 2
+
If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:
# auditctl -f 1
+Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
+
+-f 1
+
Kernel log monitoring must also be configured to properly alert designated staff.
The audit daemon must be restarted for the changes to take effect.
-
-
+
+ Confirm the audit configuration regarding how auditing processing failures are handled.
Check to see what level "auditctl" is set to with following command:
-# auditctl -l | grep /-f
- -f 2
+# auditctl -s | grep -i "fail"
+ flag 2
-If the value of "-f" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure.
+If the value of "flag" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure.
-If the value of "-f" is set to "1", the system is configured to only send information to the kernel log regarding the failure.
+If the value of "flag" is set to "1", the system is configured to only send information to the kernel log regarding the failure.
-If the "-f" flag is not set, this is a CAT I finding.
+If the "flag" setting is not set, this is a CAT I finding.
-If the "-f" flag is set to any value other than "1" or "2", this is a CAT II finding.
+If the "flag" setting is set to any value other than "1" or "2", this is a CAT II finding.
-If the "-f" flag is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding.
+If the "flag" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding.
@@ -6568,7 +6599,7 @@ If the value of the "action_mail_acct" keyword is not set to "root" and other ac
SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>
-
+ RHEL-07-030360All privileged function executions must be audited.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -6580,17 +6611,17 @@ If the value of the "action_mail_acct" keyword is not set to "root" and other ac
2777CCI-002234
- Configure the operating system to audit the execution of privileged functions.
+ Configure the operating system to audit the execution of privileged functions.
To find the relevant "setuid"/"setgid" programs, run the following command for each local partition [PART]:
# find [PART] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null
-For each "setuid"/"setgid" program on the system, which is not covered by an audit rule for a (sub) directory (such as "/usr/sbin"), add a line of the following form to "/etc/audit/audit.rules", where <suid_prog_with_full_path> is the full path to each "setuid"/"setgid" program in the list:
+For each "setuid"/"setgid" program on the system, which is not covered by an audit rule for a (sub) directory (such as "/usr/sbin"), add a line of the following form to "/etc/audit/rules.d/audit.rules", where <suid_prog_with_full_path> is the full path to each "setuid"/"setgid" program in the list:
--a always,exit -F part=<suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid
-
-
+-a always,exit -F path<suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid
+
+ Verify the operating system audits the execution of privileged functions.
@@ -6600,7 +6631,8 @@ To find relevant setuid and setgid programs, use the following command once for
Run the following command to verify entries in the audit rules for all programs found with the previous command:
-# grep <suid_prog_with_full_path> -a always,exit -F <suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid
+# grep -i "<suid_prog_with_full_path>" /etc/audit/audit.rules
+-a always,exit -F path="<suid_prog_with_full_path>" -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid
All "setuid" and "setgid" files on the system must have a corresponding audit rule, or must have an audit rule for the (sub) directory that contains the "setuid"/"setgid" file.
@@ -7632,9 +7664,9 @@ If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>
-
+ RHEL-07-030590
- All uses of the restorecon command must be audited.
+ All uses of the setfiles command must be audited.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -7649,23 +7681,23 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPO
CCI-000172CCI-002884
- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "restorecon" command occur.
+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change
The audit daemon must be restarted for the changes to take effect.
-
-
+
+
- Verify the operating system generates audit records when successful/unsuccessful attempts to use the "restorecon" command occur.
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
Check the file system rule in "/etc/audit/audit.rules" with the following command:
-# grep -i /usr/sbin/restorecon /etc/audit/audit.rules
+# grep -i /usr/sbin/setfiles /etc/audit/audit.rules
--a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change
If the command does not return any output, this is a finding.
@@ -7717,7 +7749,7 @@ If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>
-
+ RHEL-07-030610The operating system must generate audit records for all unsuccessful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -7735,14 +7767,14 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPO
CCI-000126CCI-000172CCI-002884
- Configure the operating system to generate audit records when unsuccessful account access events occur.
+ Configure the operating system to generate audit records when unsuccessful account access events occur.
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--w /var/run/faillock/ -p wa -k logins
+-w /var/run/faillock -p wa -k logins
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system generates audit records when unsuccessful account access events occur.
@@ -8106,7 +8138,7 @@ If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>
-
+ RHEL-07-030700All uses of the sudoers command must be audited.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
@@ -8125,29 +8157,29 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPO
CCI-000135CCI-000172CCI-002884
- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudoer" command occur.
+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudoer" command occur.
Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-w /etc/sudoers -p wa -k privileged-actions
--w /etc/sudoers.d -p wa -k privileged-actions
+-w /etc/sudoers.d/ -p wa -k privileged-actions
The audit daemon must be restarted for the changes to take effect.
-
-
+
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudoer" command occur.
Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules":
-# grep /etc/sudoers /etc/audit/audit.rules
+# grep -i "/etc/sudoers" /etc/audit/audit.rules
-w /etc/sudoers -p wa -k privileged-actions
-# grep /etc/sudoers.d /etc/audit/audit.rules
+# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules
--w /etc/sudoers.d -p wa -k privileged-actions
+-w /etc/sudoers.d/ -p wa -k privileged-actions
If the commands do not return output that does not match the examples, this is a finding.
@@ -8244,7 +8276,7 @@ If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>
-
+ RHEL-07-030730All uses of the sudoedit command must be audited.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
@@ -8271,13 +8303,13 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudoedit" command occur.
Check for the following system calls being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-# grep -i /usr/bin/sudoedit /etc/audit/audit.rules
+# grep -i "/usr/bin/sudoedit" /etc/audit/audit.rules
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
@@ -8288,7 +8320,7 @@ If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>
-
+ RHEL-07-030740All uses of the mount command must be audited.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
@@ -8315,13 +8347,13 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules" (removing
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command occur.
Check for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules":
-# grep -i /bin/mount /etc/audit/audit.rules
+# grep -i "mount" /etc/audit/audit.rules
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount
@@ -8334,7 +8366,7 @@ If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>
-
+ RHEL-07-030750All uses of the umount command must be audited.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
@@ -8359,13 +8391,13 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.
Check for the following system calls being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules":
-# grep -i /bin/umount /etc/audit/audit.rules
+# grep -i "/bin/umount" /etc/audit/audit.rules
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount
@@ -8546,7 +8578,7 @@ If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>
-
+ RHEL-07-030810All uses of the pam_timestamp_check command must be audited.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -8566,13 +8598,13 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur.
Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-# grep -i /sbin/pam_timestamp_check /etc/audit/audit.rules
+# grep -i "/sbin/pam_timestamp_check" /etc/audit/audit.rules
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
@@ -8681,7 +8713,7 @@ If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>
-
+ RHEL-07-030840All uses of the insmod command must be audited.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -8697,15 +8729,15 @@ Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion
2777CCI-000172
- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "insmod" command occur.
+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "insmod" command occur.
-Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture):
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-w /sbin/insmod -p x -F auid!=4294967295 -k module-change
The audit daemon must be restarted for the changes to take effect.
-
-
+
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "insmod" command occur.
@@ -8713,7 +8745,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep -i insmod /etc/audit/audit.rules
-If the command does not return the following output (appropriate to the architecture), this is a finding.
+If the command does not return the following output this is a finding.
-w /sbin/insmod -p x -F auid!=4294967295 -k module-change
@@ -8724,7 +8756,7 @@ If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>
-
+ RHEL-07-030850All uses of the rmmod command must be audited.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -8740,15 +8772,15 @@ Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion
2777CCI-000172
- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmmod" command occur.
+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmmod" command occur.
-Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture):
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-w /sbin/rmmod-p x -F auid!=4294967295 -k module-change
The audit daemon must be restarted for the changes to take effect.
-
-
+
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmmod" command occur.
@@ -8756,7 +8788,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep -i rmmod /etc/audit/audit.rules
-If the command does not return the following output (appropriate to the architecture), this is a finding.
+If the command does not return the following output, this is a finding.
-w /sbin/rmmod -p x -F auid!=4294967295 -k module-change
@@ -8767,7 +8799,7 @@ If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>
-
+ RHEL-07-030860All uses of the modprobe command must be audited.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -8783,15 +8815,15 @@ Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion
2777CCI-000172
- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "modprobe" command occur.
+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "modprobe" command occur.
-Add or update the following rule in "/etc/audit/rules.d/audit.rules" (removing those that do not match the CPU architecture):
+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-w /sbin/modprobe -p x -F auid!=4294967295 -k module-change
The audit daemon must be restarted for the changes to take effect.
-
-
+
+ Verify the operating system generates audit records when successful/unsuccessful attempts to use the "modprobe" command occur.
@@ -8801,7 +8833,7 @@ Note: The output lines of the command are duplicated to cover both 32-bit and 64
# grep -i modprobe /etc/audit/audit.rules
-If the command does not return the following output (appropriate to the architecture), this is a finding.
+If the command does not return the following output, this is a finding.
-w /sbin/modprobe -p x -F auid!=4294967295 -k module-change
@@ -8812,7 +8844,7 @@ If the command does not return any output, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>
-
+ RHEL-07-030870The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -8839,7 +8871,7 @@ Add or update the following rule "/etc/audit/rules.d/audit.rules":
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
@@ -8847,7 +8879,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep /etc/passwd /etc/audit/audit.rules
--w /etc/passwd -p wa -k audit_rules_usergroup_modification
+-w /etc/passwd -p wa -k identity
If the command does not return a line, or the line is commented out, this is a finding.
@@ -9144,9 +9176,9 @@ If the documentation does not exist, or does not specify the server as a log agg
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-032000
- The system must use a DoD-approved virus scan program.
+ The system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.
The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
@@ -9160,11 +9192,11 @@ If the system processes inbound SMTP mail, the virus scanner must be configured
2777CCI-001668
- Install an approved DoD antivirus solution on the system.
-
-
+ Install an antivirus solution on the system.
+
+
- Verify the system is using a DoD-approved virus scan program.
+ Verify the system is using a virus scan program.
Check for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:
@@ -9190,9 +9222,9 @@ If no antivirus scan program is active on the system, this is a finding.
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-032010
- The system must update the DoD-approved virus scan program every seven days or more frequently.
+ The system must update the virus scan program every seven days or more frequently.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.
The virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -9204,11 +9236,11 @@ The virus scanning software should be configured to check for software and virus
2777CCI-001668
- Update the approved DoD virus scan software and virus definition files.
-
-
+ Update the virus scan software and virus definition files.
+
+
- Verify the system is using a DoD-approved virus scan program and the virus definition file is less than seven days old.
+ Verify the system is using a virus scan program and the virus definition file is less than seven days old.
Check for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:
@@ -9378,7 +9410,7 @@ If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed
SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>
-
+ RHEL-07-040160All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
@@ -9393,31 +9425,40 @@ Terminating network connections associated with communications sessions includes
CCI-001133CCI-002361
- Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
+ Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
-Add the following line to "/etc/profile" (or modify the line to have the required value):
+Add or update the following lines in "/etc/profile".
TMOUT=600
+readonly TMOUT
+export TMOUT
-The SSH service must be restarted for changes to take effect.
-
-
+Or create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
+
+ #!/bin/bash
+
+ TMOUT=600
+ readonly TMOUT
+ export TMOUT
+
+ Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.
Check the value of the system inactivity timeout with the following command:
-# grep -i tmout /etc/bashrc
+# grep -i tmout /etc/bashrc /etc/profile.d/*
+
TMOUT=600
-If "TMOUT" is not set to "600" or less in "/etc/bashrc", this is a finding.
+If "TMOUT" is not set to "600" or less in "/etc/bashrc" or in a script created to enforce session termination after inactivity, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>
-
+ RHEL-07-040170The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
@@ -9455,11 +9496,11 @@ Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GP
CCI-001386CCI-001387CCI-001388
- Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
+ Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
-banner=/etc/issue
+banner /etc/issue
Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
@@ -9471,13 +9512,13 @@ Either create the file containing the banner or replace the text in the file wit
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
The SSH service must be restarted for changes to take effect.
-
-
+
+ Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
@@ -9485,7 +9526,7 @@ Check for the location of the banner file being used with the following command:
# grep -i banner /etc/ssh/sshd_config
-banner=/etc/issue
+banner /etc/issue
This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").
@@ -9643,7 +9684,7 @@ If this file does not exist, or the option is commented out or missing, this is
SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>
-
+ RHEL-07-040300All networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
@@ -9664,18 +9705,17 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
CCI-002420CCI-002421CCI-002422
- Install SSH packages onto the host with the following commands:
+ Install SSH packages onto the host with the following commands:
# yum install openssh-clients.x86_64
# yum install openssh-server.x86_64
-
-Note: 32-bit versions will require different packages.
-
-
+
+
+ Check to see if sshd is installed with the following command:
-# yum list installed ssh
+# yum list installed | grep ssh
libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1
openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1
openssh-clients.x86_64 6.6.1p1-11.el7 @anaconda/7.1
@@ -11031,7 +11071,7 @@ If the "X11Forwarding" keyword is set to "no", is missing, or is commented out,
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-040720If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.<VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -11047,14 +11087,14 @@ If the "X11Forwarding" keyword is set to "no", is missing, or is commented out,
server_args = -s /var/lib/tftpboot
-
+ Verify the TFTP daemon is configured to operate in secure mode.
Check to see if a TFTP server has been installed with the following commands:
-# yum list installed | grep tftp
-tftp-0.49-9.el7.x86_64.rpm
+# yum list installed | grep tftp-server
+tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms
If a TFTP server is not installed, this is Not Applicable.
@@ -11070,7 +11110,7 @@ If the "server_args" line does not have a "-s" option and a subdirectory is not
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-040730An X Windows display manager must not be installed unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -11082,19 +11122,17 @@ If the "server_args" line does not have a "-s" option and a subdirectory is not
2777CCI-000366
- Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:
+ Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:
-#yum groupremove "X Window System"
-
-#yum remove xorg-x11-server-common
-
-
+# rpm -e xorg-x11-server-common
+
+ Verify that if the system has X Windows System installed, it is authorized.
Check for the X11 package with the following command:
-# yum group list installed "X Window System"
+# rpm -qa | grep xorg | grep server
Ask the System Administrator if use of the X Windows System is an operational requirement.
@@ -11206,7 +11244,7 @@ If either of these commands returns any output, this is a finding.
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-040810The system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -11218,11 +11256,11 @@ If either of these commands returns any output, this is a finding.2777
CCI-000366
- If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts.
+ If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts.
-If "tcpwrappers" is installed, configure the "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.
-
-
+If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.
+
+ If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding.
@@ -11263,7 +11301,7 @@ rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow
If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.
-If "firewalld" is active and is not configured to grant access to specific hosts and "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.
+If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.
@@ -11450,7 +11488,7 @@ If the "pam" service is not present, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>
-
+ RHEL-07-041003The operating system must implement certificate status checking for PKI authentication.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
@@ -11480,7 +11518,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPO
Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
-
+ Verify the operating system implements certificate status checking for PKI authentication.
@@ -11492,9 +11530,9 @@ cert_policy =ca, ocsp_on, signature;
cert_policy =ca, ocsp_on, signature;
cert_policy =ca, ocsp_on, signature;
-There should be at least three lines returned. All lines must match the example output; specifically that "oscp_on" must be included in the "cert_policy" line.
+There should be at least three lines returned. All lines must match the example output; specifically that "ocsp_on" must be included in the "cert_policy" line.
-If "oscp_on" is present in all "cert_policy" lines, this is not a finding.
+If "ocsp_on" is present in all "cert_policy" lines, this is not a finding.
@@ -11797,7 +11835,7 @@ If the command does not return a line, or the line is commented out, this is a f
SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>
-
+ RHEL-07-030872The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -11822,7 +11860,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
@@ -11830,7 +11868,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep /etc/gshadow /etc/audit/audit.rules
--w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+-w /etc/gshadow -p wa -k identity
If the command does not return a line, or the line is commented out, this is a finding.
@@ -11839,7 +11877,7 @@ If the command does not return a line, or the line is commented out, this is a f
SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>
-
+ RHEL-07-030873The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -11864,7 +11902,7 @@ Add or update the following file system rule in "/etc/audit/rules.d/audit.rules"
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
@@ -11872,7 +11910,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep /etc/shadow /etc/audit/audit.rules
--w /etc/shadow -p wa -k audit_rules_usergroup_modification
+-w /etc/shadow -p wa -k identity
If the command does not return a line, or the line is commented out, this is a finding.
@@ -11881,7 +11919,7 @@ If the command does not return a line, or the line is commented out, this is a f
SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>
-
+ RHEL-07-030874The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -11906,7 +11944,7 @@ Add or update the following file system rule in "/etc/audit/rules.d/audit.rules"
The audit daemon must be restarted for the changes to take effect.
-
+ Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
@@ -11914,7 +11952,7 @@ Check the auditing rules in "/etc/audit/rules.d/audit.rules" with the following
# grep /etc/security/opasswd /etc/audit/rules.d/audit.rules
--w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+-w /etc/security/opasswd -p wa -k identity
If the command does not return a line, or the line is commented out, this is a finding.
@@ -11923,7 +11961,7 @@ If the command does not return a line, or the line is commented out, this is a f
SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ RHEL-07-040641The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -11939,7 +11977,7 @@ If the command does not return a line, or the line is commented out, this is a f
net.ipv4.conf.all.accept_redirects = 0
-
+ Verify the system ignores IPv4 ICMP redirect messages.
@@ -11949,7 +11987,7 @@ Check the value of the "accept_redirects" variables with the following command:
net.ipv4.conf.all.accept_redirects=0
-If both of the returned lines do not have a value of "0", or a line is not returned, this is a finding.
+If the returned line does not have a value of "0", or a line is not returned, this is a finding.
@@ -11992,4 +12030,173 @@ If a wireless interface is configured and its use on the system is not documente
+
+ SRG-OS-000375-GPOS-00160
+ <GroupDescription></GroupDescription>
+
+ RHEL-07-010061
+ The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
+ <VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+
+
+Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162
+</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Red Hat 7
+ DISA
+ DPMS Target
+ Red Hat 7
+ 2777
+
+ CCI-001948
+ CCI-001953
+ CCI-001954
+ Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
+
+Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
+
+# touch /etc/dconf/db/local.d/00-defaults
+
+Add the setting to enable smartcard login:
+enable-smartcard-authentication=true
+
+
+
+ Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.
+
+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+
+Determine which profile the system database is using with the following command:
+
+# grep system-db /etc/dconf/profile/user
+
+system-db:local
+
+Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.
+
+# grep enable-smartcard-authentication /etc/dconf/db/local.d/*
+
+enable-smartcard-authentication=true
+
+If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.
+
+
+
+
+ SRG-OS-000378-GPOS-00163
+ <GroupDescription></GroupDescription>
+
+ RHEL-07-020101
+ The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required.
+ <VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Red Hat 7
+ DISA
+ DPMS Target
+ Red Hat 7
+ 2777
+
+ CCI-001958
+ Configure the operating system to disable the ability to use the DCCP kernel module.
+
+Create a file under "/etc/modprobe.d" with the following command:
+
+# touch /etc/modprobe.d/nodccp
+
+Add the following line to the created file:
+
+install dccp /bin/true
+
+
+
+ Verify the operating system disables the ability to load the DCCP kernel module.
+
+Check to see if the DCCP kernel module is disabled with the following command:
+
+# grep -r dccp /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
+
+install dccp /bin/true
+
+If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
+
+
+
+
+ SRG-OS-000080-GPOS-00048
+ <GroupDescription></GroupDescription>
+
+ RHEL-07-010481
+ The operating system must require authentication upon booting into single-user and maintenance modes.
+ <VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Red Hat 7
+ DISA
+ DPMS Target
+ Red Hat 7
+ 2777
+
+ CCI-000213
+ Configure the operating system to require authentication upon booting into single-user and maintenance modes.
+
+Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":
+
+ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+
+
+
+
+ Verify the operating system must require authentication upon booting into single-user and maintenance modes.
+
+Check that the operating system requires authentication upon booting into single-user mode with the following command:
+
+# grep -i execstart /usr/lib/systemd/system/rescue.service
+
+ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+
+If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.
+
+
+
+
+
+ SRG-OS-000480-GPOS-00227
+ <GroupDescription></GroupDescription>
+
+ RHEL-07-040201
+ The operating system must implement virtual address space randomization.
+ <VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Red Hat 7
+ DISA
+ DPMS Target
+ Red Hat 7
+ 2777
+
+ CCI-000366
+ Configure the operating system implement virtual address space randomization.
+
+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):
+
+kernel.randomize_va_space=2
+
+
+
+ Verify the operating system implements virtual address space randomization.
+
+Check that the operating system implements virtual address space randomization with the following command:
+
+# grep kernel.randomize_va_space /etc/sysctl.conf
+
+kernel.randomize_va_space=2
+
+If "kernel.randomize_va_space" does not have a value of "2", this is a finding.
+
+
+
diff --git a/doc/metadata/rhel7/V-77819.rst b/doc/metadata/rhel7/V-77819.rst
new file mode 100644
index 00000000..93ac2c76
--- /dev/null
+++ b/doc/metadata/rhel7/V-77819.rst
@@ -0,0 +1,13 @@
+---
+id: V-77819
+status: exception - manual intervention
+tag: misc
+---
+
+The STIG requires that multifactor authentication is used for graphical user
+logon, but this change requires custom configuration based on the
+authentication solution that is used.
+
+Deployers should review the available options, such as traditional
+smartcards, USB devices (such as Yubikeys), or software token systems, and
+use one of these solutions on each system.
diff --git a/doc/metadata/rhel7/V-77821.rst b/doc/metadata/rhel7/V-77821.rst
new file mode 100644
index 00000000..82a5fc79
--- /dev/null
+++ b/doc/metadata/rhel7/V-77821.rst
@@ -0,0 +1,14 @@
+---
+id: V-77821
+status: implemented
+tag: kernel
+---
+
+The ansible-hardening role disables the DCCP kernel module by default. Each
+system must be rebooted to fully apply the change.
+
+Deployers can opt out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+ security_rhel7_disable_dccp: no
diff --git a/doc/metadata/rhel7/V-77823.rst b/doc/metadata/rhel7/V-77823.rst
new file mode 100644
index 00000000..e876ea49
--- /dev/null
+++ b/doc/metadata/rhel7/V-77823.rst
@@ -0,0 +1,13 @@
+---
+id: V-77823
+status: exception - manual intervention
+tag: auth
+---
+
+Modifying sensitive systemd unit files directly or via overrides could cause
+a system to have issues during the boot process. The role does not make any
+adjustments to the ``rescue.service`` because this service is critical during
+emergencies.
+
+All of the distributions supported by the role already require authentication
+for single user mode.
diff --git a/doc/metadata/rhel7/V-77825.rst b/doc/metadata/rhel7/V-77825.rst
new file mode 100644
index 00000000..3acffb0a
--- /dev/null
+++ b/doc/metadata/rhel7/V-77825.rst
@@ -0,0 +1,18 @@
+---
+id: V-77825
+status: implemented
+tag: kernel
+---
+
+Most modern systems enable Address Space Layout Randomization (ASLR) by
+default (with a setting of ``2``), and the role ensures that the secure
+default is maintained.
+
+Deployers can opt out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+ security_enable_aslr: no
+
+For more details on the ASLR settings, review the
+`sysctl documentation `_.
diff --git a/doc/source/_exts/metadata-docs-rhel7.py b/doc/source/_exts/metadata-docs-rhel7.py
index 903aee9c..547a0d33 100755
--- a/doc/source/_exts/metadata-docs-rhel7.py
+++ b/doc/source/_exts/metadata-docs-rhel7.py
@@ -28,7 +28,7 @@ import yaml
SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR)
DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR)
-XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml'
+XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml'
XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'}
diff --git a/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml b/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml
new file mode 100644
index 00000000..495eac9d
--- /dev/null
+++ b/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml
@@ -0,0 +1,15 @@
+---
+features:
+ - |
+ The tasks within the ansible-hardening role are now based on Version 1,
+ Release 3 of the Red Hat Enteprise Linux Security Technical Implementation
+ Guide.
+ - |
+ The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to
+ ``2`` by default. This matches the default of most modern Linux
+ distributions and it ensures that Address Space Layout Randomization
+ (ASLR) is enabled.
+ - |
+ The Datagram Congestion Control Protocol (DCCP) kernel module is now
+ disabled by default, but a reboot is required to make the change
+ effective.
diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml
index 45f34927..c5123127 100644
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@@ -95,3 +95,15 @@
- high
- misc
- V-72067
+
+- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
+ lineinfile:
+ dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
+ line: install dccp /bin/true
+ create: yes
+ when:
+ - security_rhel7_disable_dccp | bool
+ tags:
+ - kernel
+ - medium
+ - V-77821
diff --git a/vars/main.yml b/vars/main.yml
index dfbe52cd..aa0a8701 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -253,9 +253,9 @@ password_quality_rhel7:
description: "Password must have at least four character classes changed"
enabled: "{{ security_pwquality_require_character_classes_changed }}"
- parameter: maxrepeat
- value: 4
+ value: 3
stig_id: V-71915
- description: "Password must have at most four characters repeated consecutively"
+ description: "Password must have at most three characters repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_characters }}"
- parameter: maxclassrepeat
value: 4
@@ -341,3 +341,6 @@ sysctl_settings_rhel7:
- name: net.ipv4.conf.default.accept_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
+ - name: kernel.randomize_va_space
+ value: 2
+ enabled: "{{ security_enable_aslr | bool }}"