scap-security-guide November 2013

scap-security-guide@lists.fedorahosted.org

23 participants
73 discussions

[PATCH] [RHEL6] Fix OVAL check for '3.4.3.g. Disable SSH Root Login' rule
by Jan Lieskovsky 22 Nov '13

22 Nov '13

Fix / invert the logic of OVAL rule for '3.4.3.g. Disable SSH Root Login' XCCDF rule. On default RHEL-6 system there's no uncommented 'PermitRootLogin yes' present in /etc/ssh/sshd_config configuration file (from the header of the config: # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. >From sshd_config(5): PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”. Therefore the default RHEL-6's sshd config is missing explicit PermitRootLogin yes, but defaulting to it. Former implementation (incorrectly) returned 'pass' as result of the scan, even when root login via SSH was allowed (can be tested on former implementation via SSH root attempt). The proposal modifies the implementation the scan check to succeed only in case there's explicit 'PermitRootLogin no' in /etc/ssh/sshd_config, and allows possible comments behinds that definition (since it's valid config form too). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 3

GConf checks and testing if a Package is installed
by Maura Dailey 21 Nov '13

21 Nov '13

This has come up before. When testing for the value of GConf checks, I'd like to use the package install/remove script to test if GConf2 is even installed. The xorg package check exists, but not one for GConf2. In order of preference: 1. I add GConf2 to the list of packages that should be removed and write one of those extend checks inside every gconf check. Profiles can decide how they feel about GConf2. It could depend on Xorg. 2. I test for the presence of GConf2 in every gconf check. 3. I test for the presence of Xorg, under the assumption that GConf2 will also be installed. Thoughts? - Maura Dailey

2 2

SECSCN and all_rules profile
by Kordell, Luke T 21 Nov '13

21 Nov '13

Hello, I thought it would be useful to generate an "all_rules" profile to help us in the requirements-gathering phase of a profile development. To create this profile I grepped the .xml files contained in the system and services directories for "Rule id=" and used the output to create an all_rules profile. The all_rules profile and CS2 profile list 388 rules while the STIG lists 389. I expected the all_rules profile to have more rules than either since it should contain at least all the rules called by both CS2 and the STIG. Are there rules in other directories, or am I missing something else? I have been comparing SECSCN output to the STIG and CS2 profiles and thus-far it has raised a couple questions. First SECSCN lists the bash commands it uses to gather its results and lists the exact reasons for a failed test. Are there plans to include this capability in the future or would this be handled by a scanning automation tool like oscap? What component of SCAP and/or OVAL is linked to bash? Is it possible to get access to this underlying source-code for modification purposes? Luke K

3 10

Checking the default values by performing a scan
by Jan Lieskovsky 21 Nov '13

21 Nov '13

Hello folks, with the intentions the Fedora scap-security-guide content to be adaptable to future versions of scap-security-guide content for Red Hat Enterprise Linux as much as possible, I encountered the following question I would like the SSG upstream to provide an opinion at prior me proceeding on actual implementation of the rule. The SCAP content for Red Hat Enterprise Linux 6 contains the following SSH protocol / service related rule: "3.4.3.a. Allow Only SSH Protocol 2" Having a look at particular OVAL check it implements approximately the following logic - rule succeeds only in cases the sshd service isn't enabled or the "Protocol 2" option is present in /etc/ssh/sshd_config file. In Fedora (for case of 19 currently based on openssh-server-6.2p2) the situation is slightly different. OpenSSH upstream starting from 5.4 version: [1] http://www.openssh.com/txt/release-5.4 [2] http://en.wikipedia.org/wiki/OpenSSH the version 1 of the SSH protocol is disabled by default and clients / servers that (still) need to use it need to explicitly enable it in ssh_config / sshd_config files or via command line. So for case of Fedora (later versions of Red Hat Enterprise Linux) the check for "Protocol 2" string being present in /etc/ssh/sshd_config file would not be sufficient. This is the actual point of my question - protocol 2 being the default version, is it sufficient to expect version 2 being the used one and the check should verify just if version 1 of the SSH protocol wasn't explicitly enabled in the config file and also possibly if version of openssh-server package is greater than 5.4? Or would you recommend another approach? If so, what it would look like? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S.: The case of "3.4.3.a. Allow Only SSH Protocol 2" has been selected just as an example of such rule. But there are more cases of behaviour like this (for example ExecShield being enabled by default etc.)

1 0

[PATCH 0/2] pam_ldap fixups
by Maura Dailey 20 Nov '13

20 Nov '13

I noticed that the regex in ldap_client_pam_ldap_present was too limited. It should look for lines with pam_ldap.so in them, not just lines that end with it. Also, the period was not escaped. I also went ahead and switched the pam_ldap.conf checks to use filepath instead of path and filename, since that seems to be the standard going forward. Maura Dailey (2): Check was expecting pam_ldap.so to exist at least once with no options at the end of the line. It's better to see if it exists in the middle of a line. Also, fixed an unescaped period. Tested both checks and switched to using filepath instead of separate file and path tags. .../input/checks/ldap_client_pam_ldap_present.xml | 13 ++++----- RHEL6/input/checks/ldap_client_start_tls.xml | 14 ++++------- RHEL6/input/checks/ldap_client_tls_cacertpath.xml | 26 +++++++------------ 3 files changed, 21 insertions(+), 32 deletions(-)

2 3

[PATCH] Adding new values to cups checks
by Maura Dailey 19 Nov '13

19 Nov '13

The cups checks as written would not accept valid equivalents for certain checks. - Administrators might have configured non standard ports for CUPS (not 631) - The Listen directive should accept localhost or 127.0.0.1 as a host name - BrowseAllow won't appear by default when configured by the GUI, since the default value is none - Although the GUI and other documentation says that Browsing should be set to On or Off, the man page specifies the value is Yes or No Maura Dailey (1): Loosening up some of the checks to allow for non standard ports and equivalent values as allowed by the man page RHEL6/input/checks/cups_disable_browsing.xml | 47 ++++++++++++----------- RHEL6/input/checks/cups_disable_printserver.xml | 32 +++++----------- 2 files changed, 35 insertions(+), 44 deletions(-)

2 2

[PATCH] [Fedora] Include remediations for login.defs' based password minimum, maximum and warning age rules
by Jan Lieskovsky 19 Nov '13

19 Nov '13

This patch adds remediation rules for /etc/login.defs based XCCDF rules for password minimum, maximum, and warning age. Passed basic regression testing. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

1 1

SSG mentioned in Information Week!
by Shawn Wells 19 Nov '13

19 Nov '13

Our dearest Jeff is famous ;) http://www.informationweek.com/agencies-widen-open-source-use--/d/d-id/8998… Agencies Widen Open-Source Use Open-source software programs streamline efforts, improve security, and lower costs. Federal agencies, looking for new ways to lower their IT costs, are exploiting open-source software tools in a wider range of applications, not only to reduce software costs, but also to tighten network security, streamline operations, and reduce expenses in vetting applications and services. The Department of Homeland Security typifies the widening embrace of open-source software. The main reason has to do with saving money, says Greg Capella, DHS deputy executive director, Enterprise System Development Office, Chief Information Officer. The department is applying open-source code internally, not only for its IT infrastructure, but also for mobile applications, he said during theRed Hat Government Symposium <http://fedscoop.com/redhatgovernmentsymposium/2013/>in Washington, Nov. 6. One open-source pilot, called "Car Wash," is a platform to test the integration of mobile device applications. Capella notes that the pilot will extend beyond the DHS and soon be made available across the federal government. The system has already been presented to the federal CIO Council. Agencies wishing to deploy Android or iOS-based devices can use Car Wash to look for preferred coding practices in applications and for security holes. "It gives you everything from coding best-practices... to security, [section] 508, and other compliance checks," he said. The system will test and provide feedback, for instance, about how well the product's developers have coded an application. Efforts like Car Wash are one of the ways that the DHS wants to refine how it uses open-source software, Capella explained. The practices used in the pilot program build on open-source software's strengths as a community-developed product that tends to catch the introduction of security holes while adding capabilities quickly to foundational software, he said. The DHS is also focused on expanding its cloud capabilities using open-source software. That can be challenging because agencies within DHS often don't want to compromise on features, Capella said. That's changing, however, as budgets tighten. "We're seeing more people willing to compromise and starting to embrace these 80 percent solutions as opposed to solutions that push the envelope." The expanded use of open-source software to streamline capabilities and improve operations can also be seen in the intelligence community, in particular at the National Security Agency. There is a large amount of duplication involved in information assurance, explains Jeff Blank, a technology and systems analysis/network components director with the NSA's Information Assurance branch. Much of that duplication is the result of multiple checklists required for vendors' products at varying security and authorization levels. Blank is now trying to reduce that duplication by conducting due diligence once with a vendor offering multiple products. Working with Red Hat, NSA set up a project called the Security Content Automation Protocol (SCAP) Security Guide in 2011. It is a hosted catalogue of key security settings for a range of software products such as enterprise Linux. The SCAP Guide also plugs into and cross references products with other security catalogues, such as DISA's CCI List. He noted that the goal was to allow different enterprise consumers to use security profiles as a guide to selecting the products they needed. Blank described the SCAP Guide program as a success, noting that it will help reduce the costs of security due diligence in the intelligence community. He also praised the quality benefits of open-source software that result from users working in shared environments and gaining feedback -- a big change from the days of proprietary software. "When [software] is done behind closed doors, you don't always get the best results," he said.

1 0

[PATCH 3/3] add VMS IDs and release numbers
by Steinke, Leland J Sr CTR DISA DD (US) 18 Nov '13

18 Nov '13

I am open to suggestions as to how to improve this method of inserting DISA Vulnerability Management System ID numbers into the SSG content. This patch at least makes the information available. Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr(a)mail.mil (gov't) lsteinke(a)tapestrytech.com (com'l) --- RHEL6/input/auxiliary/stig_overlay.xml | 255 ++++++++++++++++++++++++++++++++ 1 files changed, 255 insertions(+), 0 deletions(-) diff --git a/RHEL6/input/auxiliary/stig_overlay.xml b/RHEL6/input/auxiliary/stig_overlay.xml index b2c7809..32eb751 100644 --- a/RHEL6/input/auxiliary/stig_overlay.xml +++ b/RHEL6/input/auxiliary/stig_overlay.xml @@ -1,45 +1,58 @@ <?xml version="1.0"?> <overlays xmlns="http://checklists.nist.gov/xccdf/1.1"> <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-06-000001" disa="366" severity="low"> + <VMSinfo VKey="38455" SVKey="50255" VRelease="1" /> <title>The system must use a separate file system for /tmp.</title> </overlay> <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-06-000002" disa="366" severity="low"> + <VMSinfo VKey="38456" SVKey="50256" VRelease="1" /> <title>The system must use a separate file system for /var.</title> </overlay> <overlay owner="disastig" ruleid="partition_for_var_log" ownerid="RHEL-06-000003" disa="366" severity="low"> + <VMSinfo VKey="38463" SVKey="50263" VRelease="1" /> <title>The system must use a separate file system for /var/log.</title> </overlay> <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-06-000004" disa="137" severity="low"> + <VMSinfo VKey="38467" SVKey="50267" VRelease="1" /> <title>The system must use a separate file system for the system audit data path.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-06-000005" disa="138" severity="medium"> + <VMSinfo VKey="38470" SVKey="50270" VRelease="1" /> <title>The audit system must alert designated staff members when the audit storage volume approaches capacity.</title> </overlay> <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-06-000007" disa="366" severity="low"> + <VMSinfo VKey="38473" SVKey="50273" VRelease="1" /> <title>The system must use a separate file system for user home directories.</title> </overlay> <overlay owner="disastig" ruleid="ensure_redhat_gpgkey_installed" ownerid="RHEL-06-000008" disa="352" severity="high"> + <VMSinfo VKey="38476" SVKey="50276" VRelease="1" /> <title>Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.</title> </overlay> <overlay owner="disastig" ruleid="service_rhnsd_disabled" ownerid="RHEL-06-000009" disa="382" severity="low"> + <VMSinfo VKey="38478" SVKey="50278" VRelease="2" /> <title>The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.</title> </overlay> <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-06-000011" disa="1233" severity="medium"> + <VMSinfo VKey="38481" SVKey="50281" VRelease="1" /> <title>System security patches and updates must be installed and up-to-date.</title> </overlay> <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-06-000013" disa="663" severity="medium"> + <VMSinfo VKey="38483" SVKey="50283" VRelease="1" /> <title>The system package management tool must cryptographically verify the authenticity of system software packages during installation.</title> </overlay> <overlay owner="disastig" ruleid="ensure_gpgcheck_never_disabled" ownerid="RHEL-06-000015" disa="663" severity="low"> + <VMSinfo VKey="38487" SVKey="50288" VRelease="1" /> <title>The system package management tool must cryptographically verify the authenticity of all software packages during installation.</title> </overlay> <overlay owner="disastig" ruleid="package_aide_installed" ownerid="RHEL-06-000016" disa="1069" severity="medium"> + <VMSinfo VKey="38489" SVKey="50290" VRelease="1" /> <title>A file integrity tool must be installed.</title> </overlay> <overlay owner="disastig" ruleid="enable_selinux_bootloader" ownerid="RHEL-06-000017" disa="22" severity="medium"> <title>The system must use a Linux Security Module at boot time.</title> </overlay> <overlay owner="disastig" ruleid="no_rsh_trust_files" ownerid="RHEL-06-000019" disa="1436" severity="high"> + <VMSinfo VKey="38491" SVKey="50292" VRelease="1" /> <title>There must be no .rhosts or hosts.equiv files on the system.</title> </overlay> <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-06-000020" disa="22" severity="medium"> @@ -52,201 +65,266 @@ <title>All device files must be monitored by the system Linux Security Module.</title> </overlay> <overlay owner="disastig" ruleid="securetty_root_login_console_only" ownerid="RHEL-06-000027" disa="770" severity="medium"> + <VMSinfo VKey="38492" SVKey="50293" VRelease="1" /> <title>The system must prevent the root account from logging in from virtual consoles.</title> </overlay> <overlay owner="disastig" ruleid="restrict_serial_port_logins" ownerid="RHEL-06-000028" disa="770" severity="low"> + <VMSinfo VKey="38494" SVKey="50295" VRelease="1" /> <title>The system must prevent the root account from logging in from serial consoles.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000029" disa="366" severity="medium"> + <VMSinfo VKey="38496" SVKey="50297" VRelease="1" /> <title>Default system accounts, other than root, must be locked.</title> </overlay> <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-06-000030" disa="366" severity="high"> + <VMSinfo VKey="38497" SVKey="50298" VRelease="1" /> <title>The system must not have accounts configured with blank or null passwords.</title> </overlay> <overlay owner="disastig" ruleid="no_hashes_outside_shadow" ownerid="RHEL-06-000031" disa="366" severity="medium"> + <VMSinfo VKey="38499" SVKey="50300" VRelease="1" /> <title>The /etc/passwd file must not contain password hashes.</title> </overlay> <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-06-000032" disa="366" severity="medium"> + <VMSinfo VKey="38500" SVKey="50301" VRelease="1" /> <title>The root account must be the only account having a UID of 0.</title> </overlay> <overlay owner="disastig" ruleid="userowner_shadow_file" ownerid="RHEL-06-000033" disa="366" severity="medium"> + <VMSinfo VKey="38502" SVKey="50303" VRelease="1" /> <title>The /etc/shadow file must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="groupowner_shadow_file" ownerid="RHEL-06-000034" disa="366" severity="medium"> + <VMSinfo VKey="38503" SVKey="50304" VRelease="1" /> <title>The /etc/shadow file must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_etc_shadow" ownerid="RHEL-06-000035" disa="366" severity="medium"> + <VMSinfo VKey="38504" SVKey="50305" VRelease="1" /> <title>The /etc/shadow file must have mode 0000.</title> </overlay> <overlay owner="disastig" ruleid="userowner_gshadow_file" ownerid="RHEL-06-000036" disa="366" severity="medium"> + <VMSinfo VKey="38443" SVKey="50243" VRelease="1" /> <title>The /etc/gshadow file must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="groupowner_gshadow_file" ownerid="RHEL-06-000037" disa="366" severity="medium"> + <VMSinfo VKey="38448" SVKey="50248" VRelease="1" /> <title>The /etc/gshadow file must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="perms_gshadow_file" ownerid="RHEL-06-000038" disa="366" severity="medium"> + <VMSinfo VKey="38449" SVKey="50249" VRelease="1" /> <title>The /etc/gshadow file must have mode 0000.</title> </overlay> <overlay owner="disastig" ruleid="userowner_passwd_file" ownerid="RHEL-06-000039" disa="366" severity="medium"> + <VMSinfo VKey="38450" SVKey="50250" VRelease="1" /> <title>The /etc/passwd file must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="groupowner_passwd_file" ownerid="RHEL-06-000040" disa="366" severity="medium"> + <VMSinfo VKey="38451" SVKey="50251" VRelease="1" /> <title>The /etc/passwd file must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_etc_passwd" ownerid="RHEL-06-000041" disa="366" severity="medium"> + <VMSinfo VKey="38457" SVKey="50257" VRelease="1" /> <title>The /etc/passwd file must have mode 0644 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="userowner_group_file" ownerid="RHEL-06-000042" disa="366" severity="medium"> + <VMSinfo VKey="38458" SVKey="50258" VRelease="1" /> <title>The /etc/group file must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="groupowner_group_file" ownerid="RHEL-06-000043" disa="366" severity="medium"> + <VMSinfo VKey="38459" SVKey="50259" VRelease="1" /> <title>The /etc/group file must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="perms_group_file" ownerid="RHEL-06-000044" disa="366" severity="medium"> + <VMSinfo VKey="38461" SVKey="50261" VRelease="1" /> <title>The /etc/group file must have mode 0644 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-06-000045" disa="1499" severity="medium"> + <VMSinfo VKey="38465" SVKey="50265" VRelease="1" /> <title>Library files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-06-000046" disa="1499" severity="medium"> + <VMSinfo VKey="38466" SVKey="50266" VRelease="1" /> <title>Library files must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_binary_dirs" ownerid="RHEL-06-000047" disa="1499" severity="medium"> + <VMSinfo VKey="38469" SVKey="50269" VRelease="1" /> <title>All system command files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_binary_dirs" ownerid="RHEL-06-000048" disa="1499" severity="medium"> + <VMSinfo VKey="38472" SVKey="50272" VRelease="1" /> <title>All system command files must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="accounts_password_minlen_login_defs" ownerid="RHEL-06-000050" disa="205" severity="medium"> + <VMSinfo VKey="38475" SVKey="50275" VRelease="1" /> <title>The system must require passwords to contain a minimum of 14 characters.</title> </overlay> <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-06-000051" disa="198" severity="medium"> + <VMSinfo VKey="38477" SVKey="50277" VRelease="1" /> <title>Users must not be able to change passwords more than once every 24 hours.</title> </overlay> <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-06-000053" disa="199" severity="medium"> + <VMSinfo VKey="38479" SVKey="50279" VRelease="1" /> <title>User passwords must be changed at least every 60 days.</title> </overlay> <overlay owner="disastig" ruleid="accounts_password_warn_age_login_defs" ownerid="RHEL-06-000054" disa="366" severity="low"> + <VMSinfo VKey="38480" SVKey="50280" VRelease="1" /> <title>Users must be warned 7 days in advance of password expiration.</title> </overlay> <overlay owner="disastig" ruleid="accounts_password_pam_cracklib_dcredit" ownerid="RHEL-06-000056" disa="194" severity="low"> + <VMSinfo VKey="38482" SVKey="50282" VRelease="1" /> <title>The system must require passwords to contain at least one numeric character.</title> </overlay> <overlay owner="disastig" ruleid="password_require_uppercases" ownerid="RHEL-06-000057" disa="192" severity="low"> + <VMSinfo VKey="38569" SVKey="50370" VRelease="1" /> <title>The system must require passwords to contain at least one uppercase alphabetic character.</title> </overlay> <overlay owner="disastig" ruleid="password_require_specials" ownerid="RHEL-06-000058" disa="1619" severity="low"> + <VMSinfo VKey="38570" SVKey="50371" VRelease="1" /> <title>The system must require passwords to contain at least one special character.</title> </overlay> <overlay owner="disastig" ruleid="password_require_lowercases" ownerid="RHEL-06-000059" disa="193" severity="low"> + <VMSinfo VKey="38571" SVKey="50372" VRelease="1" /> <title>The system must require passwords to contain at least one lowercase alphabetic character.</title> </overlay> <overlay owner="disastig" ruleid="password_require_diffchars" ownerid="RHEL-06-000060" disa="195" severity="low"> + <VMSinfo VKey="38572" SVKey="50373" VRelease="1" /> <title>The system must require at least four characters be changed between the old and new passwords during a password change.</title> </overlay> <overlay owner="disastig" ruleid="deny_password_attempts" ownerid="RHEL-06-000061" disa="44" severity="medium"> + <VMSinfo VKey="38573" SVKey="50374" VRelease="1" /> <title>The system must disable accounts after three consecutive unsuccessful login attempts.</title> </overlay> <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-06-000062" disa="803" severity="medium"> + <VMSinfo VKey="38574" SVKey="50375" VRelease="1" /> <title>The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).</title> </overlay> <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-06-000063" disa="803" severity="medium"> + <VMSinfo VKey="38576" SVKey="50377" VRelease="1" /> <title>The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).</title> </overlay> <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-06-000064" disa="803" severity="medium"> + <VMSinfo VKey="38577" SVKey="50378" VRelease="1" /> <title>The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).</title> </overlay> <overlay owner="disastig" ruleid="user_owner_grub_conf" ownerid="RHEL-06-000065" disa="366" severity="medium"> + <VMSinfo VKey="38579" SVKey="50380" VRelease="1" /> <title>The system boot loader configuration file(s) must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="group_owner_grub_conf" ownerid="RHEL-06-000066" disa="366" severity="medium"> + <VMSinfo VKey="38581" SVKey="50382" VRelease="1" /> <title>The system boot loader configuration file(s) must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="permissions_grub_conf" ownerid="RHEL-06-000067" disa="366" severity="medium"> + <VMSinfo VKey="38583" SVKey="50384" VRelease="1" /> <title>The system boot loader configuration file(s) must have mode 0600 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="bootloader_password" ownerid="RHEL-06-000068" disa="213" severity="medium"> + <VMSinfo VKey="38585" SVKey="50386" VRelease="1" /> <title>The system boot loader must require authentication.</title> </overlay> <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-06-000069" disa="213" severity="medium"> + <VMSinfo VKey="38586" SVKey="50387" VRelease="1" /> <title>The system must require authentication upon booting into single-user and maintenance modes.</title> </overlay> <overlay owner="disastig" ruleid="disable_interactive_boot" ownerid="RHEL-06-000070" disa="213" severity="medium"> + <VMSinfo VKey="38588" SVKey="50389" VRelease="1" /> <title>The system must not permit interactive boot.</title> </overlay> <overlay owner="disastig" ruleid="package_screen_installed" ownerid="RHEL-06-000071" disa="58" severity="low"> + <VMSinfo VKey="38590" SVKey="50391" VRelease="1" /> <title>The system must allow locking of the console screen.</title> </overlay> <overlay owner="disastig" ruleid="set_system_login_banner" ownerid="RHEL-06-000073" disa="1384, 1385, 1386, 1387, 1388" severity="medium"> + <VMSinfo VKey="38593" SVKey="50394" VRelease="1" /> <title>The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.</title> </overlay> <overlay owner="disastig" ruleid="enable_randomize_va_space" ownerid="RHEL-06-000078" disa="366" severity="medium"> + <VMSinfo VKey="38596" SVKey="50397" VRelease="1" /> <title>The system must implement virtual address space randomization.</title> </overlay> <overlay owner="disastig" ruleid="enable_execshield" ownerid="RHEL-06-000079" disa="366" severity="medium"> + <VMSinfo VKey="38597" SVKey="50398" VRelease="1" /> <title>The system must limit the ability of processes to have simultaneous write and execute access to memory.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-06-000080" disa="366" severity="medium"> + <VMSinfo VKey="38600" SVKey="50401" VRelease="1" /> <title>The system must not send ICMPv4 redirects by default.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_ipv4_all_send_redirects" ownerid="RHEL-06-000081" disa="366" severity="medium"> + <VMSinfo VKey="38601" SVKey="50402" VRelease="1" /> <title>The system must not send ICMPv4 redirects from any interface.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_ipv4_ip_forward" ownerid="RHEL-06-000082" disa="366" severity="medium"> + <VMSinfo VKey="38511" SVKey="50312" VRelease="1" /> <title>IP forwarding for IPv4 must not be enabled, unless the system is a router.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-06-000083" disa="366" severity="medium"> + <VMSinfo VKey="38523" SVKey="50324" VRelease="1" /> <title>The system must not accept IPv4 source-routed packets on any interface.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-06-000084" disa="366" severity="medium"> + <VMSinfo VKey="38524" SVKey="50325" VRelease="1" /> <title>The system must not accept ICMPv4 redirect packets on any interface.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_secure_redirects" ownerid="RHEL-06-000086" disa="366" severity="medium"> + <VMSinfo VKey="38526" SVKey="50327" VRelease="1" /> <title>The system must not accept ICMPv4 secure redirect packets on any interface.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_log_martians" ownerid="RHEL-06-000088" disa="366" severity="low"> + <VMSinfo VKey="38528" SVKey="50329" VRelease="1" /> <title>The system must log Martian packets.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-06-000089" disa="366" severity="medium"> + <VMSinfo VKey="38529" SVKey="50330" VRelease="1" /> <title>The system must not accept IPv4 source-routed packets by default.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_secure_redirects" ownerid="RHEL-06-000090" disa="366" severity="medium"> + <VMSinfo VKey="38532" SVKey="50333" VRelease="1" /> <title>The system must not accept ICMPv4 secure redirect packets by default.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-06-000091" disa="366" severity="low"> + <VMSinfo VKey="38533" SVKey="50334" VRelease="1" /> <title>The system must ignore IPv4 ICMP redirect messages.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-06-000092" disa="366" severity="low"> + <VMSinfo VKey="38535" SVKey="50336" VRelease="1" /> <title>The system must not respond to ICMPv4 sent to a broadcast address.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" ownerid="RHEL-06-000093" disa="366" severity="low"> + <VMSinfo VKey="38537" SVKey="50338" VRelease="1" /> <title>The system must ignore ICMPv4 bogus error responses.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_tcp_syncookies" ownerid="RHEL-06-000095" disa="1095" severity="medium"> + <VMSinfo VKey="38539" SVKey="50340" VRelease="1" /> <title>The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-06-000096" disa="366" severity="medium"> + <VMSinfo VKey="38542" SVKey="50343" VRelease="1" /> <title>The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-06-000097" disa="366" severity="medium"> + <VMSinfo VKey="38544" SVKey="50345" VRelease="1" /> <title>The system must use a reverse-path filter for IPv4 network traffic when possible by default.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_ipv6_option_disabled" ownerid="RHEL-06-000098" disa="366" severity="medium"> + <VMSinfo VKey="38546" SVKey="50347" VRelease="1" /> <title>The IPv6 protocol handler must not be bound to the network stack unless needed.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_ipv6_default_accept_redirects" ownerid="RHEL-06-000099" disa="366" severity="medium"> + <VMSinfo VKey="38548" SVKey="50349" VRelease="1" /> <title>The system must ignore ICMPv6 redirects by default.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000103" disa="1118" severity="medium"> + <VMSinfo VKey="38549" SVKey="50350" VRelease="2" /> <title>The system must employ a local IPv6 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000105" disa="1117" severity="medium"> <title>The system must employ a local IPv6 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000106" disa="1098" severity="medium"> + <VMSinfo VKey="38551" SVKey="50352" VRelease="2" /> <title>The system must employ a local IPv6 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000107" disa="1100" severity="medium"> + <VMSinfo VKey="38553" SVKey="50354" VRelease="2" /> <title>The system must employ a local IPv6 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000108" disa="1097" severity="medium"> @@ -256,15 +334,18 @@ <title>The system must employ a local IPv6 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_iptables_enabled" ownerid="RHEL-06-000113" disa="1118" severity="medium"> + <VMSinfo VKey="38555" SVKey="50356" VRelease="2" /> <title>The system must employ a local IPv4 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_iptables_enabled" ownerid="RHEL-06-000115" disa="1117" severity="medium"> <title>The system must employ a local IPv4 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_iptables_enabled" ownerid="RHEL-06-000116" disa="1098" severity="medium"> + <VMSinfo VKey="38560" SVKey="50361" VRelease="2" /> <title>The system must employ a local IPv4 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_iptables_enabled" ownerid="RHEL-06-000117" disa="1100" severity="medium"> + <VMSinfo VKey="38512" SVKey="50313" VRelease="2" /> <title>The system must employ a local IPv4 firewall.</title> </overlay> <overlay owner="disastig" ruleid="service_iptables_enabled" ownerid="RHEL-06-000118" disa="1097" severity="medium"> @@ -274,6 +355,7 @@ <title>The system must employ a local IPv4 firewall.</title> </overlay> <overlay owner="disastig" ruleid="set_iptables_default_rule" ownerid="RHEL-06-000120" disa="66" severity="medium"> + <VMSinfo VKey="38513" SVKey="50314" VRelease="1" /> <title>The system's local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="set_iptables_default_rule" ownerid="RHEL-06-000121" disa="1115" severity="medium"> @@ -283,33 +365,43 @@ <title>The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-06-000124" disa="382" severity="medium"> + <VMSinfo VKey="38514" SVKey="50315" VRelease="1" /> <title>The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_sctp_disabled" ownerid="RHEL-06-000125" disa="382" severity="medium"> + <VMSinfo VKey="38515" SVKey="50316" VRelease="1" /> <title>The Stream Control Transmission Protocol (SCTP) must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_rds_disabled" ownerid="RHEL-06-000126" disa="382" severity="low"> + <VMSinfo VKey="38516" SVKey="50317" VRelease="1" /> <title>The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_tipc_disabled" ownerid="RHEL-06-000127" disa="382" severity="medium"> + <VMSinfo VKey="38517" SVKey="50318" VRelease="1" /> <title>The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="userowner_rsyslog_files" ownerid="RHEL-06-000133" disa="1314" severity="medium"> + <VMSinfo VKey="38518" SVKey="50319" VRelease="1" /> <title>All rsyslog-generated log files must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="groupowner_rsyslog_files" ownerid="RHEL-06-000134" disa="1314" severity="medium"> + <VMSinfo VKey="38519" SVKey="50320" VRelease="1" /> <title>All rsyslog-generated log files must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="rsyslog_file_permissions" ownerid="RHEL-06-000135" disa="1314" severity="medium"> + <VMSinfo VKey="38623" SVKey="50424" VRelease="1" /> <title>All rsyslog-generated log files must have mode 0600 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="rsyslog_send_messages_to_logserver" ownerid="RHEL-06-000136" disa="1348" severity="medium"> + <VMSinfo VKey="38520" SVKey="50321" VRelease="1" /> <title>The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. </title> </overlay> <overlay owner="disastig" ruleid="rsyslog_send_messages_to_logserver" ownerid="RHEL-06-000137" disa="136" severity="medium"> + <VMSinfo VKey="38521" SVKey="50322" VRelease="1" /> <title>The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.</title> </overlay> <overlay owner="disastig" ruleid="ensure_logrotate_activated" ownerid="RHEL-06-000138" disa="366" severity="low"> + <VMSinfo VKey="38624" SVKey="50425" VRelease="1" /> <title>System logs must be rotated daily.</title> </overlay> <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-06-000139" disa="347" severity="medium"> @@ -325,9 +417,11 @@ <title>The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. </title> </overlay> <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-06-000145" disa="1487" severity="medium"> + <VMSinfo VKey="38628" SVKey="50429" VRelease="2" /> <title>The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.</title> </overlay> <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-06-000148" disa="67" severity="medium"> + <VMSinfo VKey="38631" SVKey="50432" VRelease="2" /> <title>The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.</title> </overlay> <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-06-000149" disa="158" severity="medium"> @@ -337,183 +431,240 @@ <title>The operating system must fail to an organization defined known state for organization defined types of failures. </title> </overlay> <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-06-000154" disa="130" severity="medium"> + <VMSinfo VKey="38632" SVKey="50433" VRelease="2" /> <title>The operating system must produce audit records containing sufficient information to establish what type of events occurred.</title> </overlay> <overlay owner="disastig" ruleid="enable_auditd_bootloader" ownerid="RHEL-06-000157" disa="1464" severity="low"> <title>Auditing must be enabled at boot by setting a kernel parameter.</title> </overlay> <overlay owner="disastig" ruleid="configure_auditd_num_logs" ownerid="RHEL-06-000159" disa="366" severity="medium"> + <VMSinfo VKey="38636" SVKey="50437" VRelease="1" /> <title>The system must retain enough rotated audit logs to cover the required log retention period.</title> </overlay> <overlay owner="disastig" ruleid="configure_auditd_max_log_file" ownerid="RHEL-06-000160" disa="366" severity="medium"> + <VMSinfo VKey="38633" SVKey="50434" VRelease="1" /> <title>The system must set a maximum audit log file size.</title> </overlay> <overlay owner="disastig" ruleid="configure_auditd_max_log_file_action" ownerid="RHEL-06-000161" disa="366" severity="medium"> + <VMSinfo VKey="38634" SVKey="50435" VRelease="1" /> <title>The system must rotate audit log files that reach the maximum file size.</title> </overlay> <overlay owner="disastig" ruleid="configure_auditd_admin_space_left_action" ownerid="RHEL-06-000163" disa="1343" severity="medium"> <title>The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_adjtimex" ownerid="RHEL-06-000165" disa="169" severity="low"> + <VMSinfo VKey="38635" SVKey="50436" VRelease="1" /> <title>The audit system must be configured to audit all attempts to alter system time through adjtimex.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_settimeofday" ownerid="RHEL-06-000167" disa="169" severity="low"> + <VMSinfo VKey="38522" SVKey="50323" VRelease="1" /> <title>The audit system must be configured to audit all attempts to alter system time through settimeofday.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_stime" ownerid="RHEL-06-000169" disa="169" severity="low"> + <VMSinfo VKey="38525" SVKey="50326" VRelease="1" /> <title>The audit system must be configured to audit all attempts to alter system time through stime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_clock_settime" ownerid="RHEL-06-000171" disa="169" severity="low"> + <VMSinfo VKey="38527" SVKey="50328" VRelease="1" /> <title>The audit system must be configured to audit all attempts to alter system time through clock_settime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_watch_localtime" ownerid="RHEL-06-000173" disa="169" severity="low"> + <VMSinfo VKey="38530" SVKey="50331" VRelease="1" /> <title>The audit system must be configured to audit all attempts to alter system time through /etc/localtime.</title> </overlay> <overlay owner="disastig" ruleid="audit_account_changes" ownerid="RHEL-06-000174" disa="18" severity="low"> + <VMSinfo VKey="38531" SVKey="50332" VRelease="1" /> <title>The operating system must automatically audit account creation.</title> </overlay> <overlay owner="disastig" ruleid="audit_account_changes" ownerid="RHEL-06-000175" disa="1403" severity="low"> + <VMSinfo VKey="38534" SVKey="50335" VRelease="1" /> <title>The operating system must automatically audit account modification.</title> </overlay> <overlay owner="disastig" ruleid="audit_account_changes" ownerid="RHEL-06-000176" disa="1404" severity="low"> + <VMSinfo VKey="38536" SVKey="50337" VRelease="1" /> <title>The operating system must automatically audit account disabling actions.</title> </overlay> <overlay owner="disastig" ruleid="audit_account_changes" ownerid="RHEL-06-000177" disa="1405" severity="low"> + <VMSinfo VKey="38538" SVKey="50339" VRelease="1" /> <title>The operating system must automatically audit account termination.</title> </overlay> <overlay owner="disastig" ruleid="audit_network_modifications" ownerid="RHEL-06-000182" disa="366" severity="low"> + <VMSinfo VKey="38540" SVKey="50341" VRelease="1" /> <title>The audit system must be configured to audit modifications to the systems network configuration.</title> </overlay> <overlay owner="disastig" ruleid="audit_mac_changes" ownerid="RHEL-06-000183" disa="366" severity="low"> + <VMSinfo VKey="38541" SVKey="50342" VRelease="1" /> <title>The audit system must be configured to audit modifications to the system's Mandatory Access Control (MAC) configuration (SELinux).</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-06-000184" disa="172" severity="low"> + <VMSinfo VKey="38543" SVKey="50344" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using chmod.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-06-000185" disa="172" severity="low"> + <VMSinfo VKey="38545" SVKey="50346" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using chown.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-06-000186" disa="172" severity="low"> + <VMSinfo VKey="38547" SVKey="50348" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using fchmod.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-06-000187" disa="172" severity="low"> + <VMSinfo VKey="38550" SVKey="50351" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-06-000188" disa="172" severity="low"> + <VMSinfo VKey="38552" SVKey="50353" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using fchown.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-06-000189" disa="172" severity="low"> + <VMSinfo VKey="38554" SVKey="50355" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using fchownat.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-06-000190" disa="172" severity="low"> + <VMSinfo VKey="38556" SVKey="50357" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-06-000191" disa="172" severity="low"> + <VMSinfo VKey="38557" SVKey="50358" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-06-000192" disa="172" severity="low"> + <VMSinfo VKey="38558" SVKey="50359" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using lchown.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-06-000193" disa="172" severity="low"> + <VMSinfo VKey="38559" SVKey="50360" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-06-000194" disa="172" severity="low"> + <VMSinfo VKey="38561" SVKey="50362" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-06-000195" disa="172" severity="low"> + <VMSinfo VKey="38563" SVKey="50364" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using removexattr.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-06-000196" disa="172" severity="low"> + <VMSinfo VKey="38565" SVKey="50366" VRelease="2" /> <title>The audit system must be configured to audit all discretionary access control permission modifications using setxattr.</title> </overlay> <overlay owner="disastig" ruleid="audit_file_access" ownerid="RHEL-06-000197" disa="172" severity="low"> + <VMSinfo VKey="38566" SVKey="50367" VRelease="2" /> <title>The audit system must be configured to audit failed attempts to access files and programs.</title> </overlay> <overlay owner="disastig" ruleid="audit_privileged_commands" ownerid="RHEL-06-000198" disa="40" severity="low"> + <VMSinfo VKey="38567" SVKey="50368" VRelease="2" /> <title>The audit system must be configured to audit all use of setuid programs.</title> </overlay> <overlay owner="disastig" ruleid="audit_media_exports" ownerid="RHEL-06-000199" disa="172" severity="low"> + <VMSinfo VKey="38568" SVKey="50369" VRelease="2" /> <title>The audit system must be configured to audit successful file system mounts.</title> </overlay> <overlay owner="disastig" ruleid="audit_file_deletions" ownerid="RHEL-06-000200" disa="172" severity="low"> + <VMSinfo VKey="38575" SVKey="50376" VRelease="2" /> <title>The audit system must be configured to audit user deletions of files and programs.</title> </overlay> <overlay owner="disastig" ruleid="audit_sysadmin_actions" ownerid="RHEL-06-000201" disa="172" severity="low"> + <VMSinfo VKey="38578" SVKey="50379" VRelease="1" /> <title>The audit system must be configured to audit changes to the "/etc/sudoers" file.</title> </overlay> <overlay owner="disastig" ruleid="audit_kernel_module_loading" ownerid="RHEL-06-000202" disa="172" severity="medium"> + <VMSinfo VKey="38580" SVKey="50381" VRelease="1" /> <title>The audit system must be configured to audit the loading and unloading of dynamic kernel modules.</title> </overlay> <overlay owner="disastig" ruleid="disable_xinetd" ownerid="RHEL-06-000203" disa="382" severity="medium"> + <VMSinfo VKey="38582" SVKey="50383" VRelease="2" /> <title>The xinetd service must be disabled if no network services utilizing it are enabled.</title> </overlay> <overlay owner="disastig" ruleid="uninstall_xinetd" ownerid="RHEL-06-000204" disa="382" severity="low"> + <VMSinfo VKey="38584" SVKey="50385" VRelease="1" /> <title>The xinetd service must be uninstalled if no network services utilizing it are enabled.</title> </overlay> <overlay owner="disastig" ruleid="uninstall_telnet_server" ownerid="RHEL-06-000206" disa="381" severity="high"> + <VMSinfo VKey="38587" SVKey="50388" VRelease="1" /> <title>The telnet-server package must not be installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_telnet_service" ownerid="RHEL-06-000211" disa="888" severity="high"> + <VMSinfo VKey="38589" SVKey="50390" VRelease="2" /> <title>The telnet daemon must not be running.</title> </overlay> <overlay owner="disastig" ruleid="uninstall_rsh-server" ownerid="RHEL-06-000213" disa="381" severity="high"> + <VMSinfo VKey="38591" SVKey="50392" VRelease="1" /> <title>The rsh-server package must not be installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_rsh" ownerid="RHEL-06-000214" disa="68" severity="high"> + <VMSinfo VKey="38594" SVKey="50395" VRelease="2" /> <title>The rshd service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="disable_rexec" ownerid="RHEL-06-000216" disa="68" severity="high"> + <VMSinfo VKey="38598" SVKey="50399" VRelease="2" /> <title>The rexecd service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="disable_rlogin" ownerid="RHEL-06-000218" disa="1436" severity="high"> + <VMSinfo VKey="38602" SVKey="50403" VRelease="2" /> <title>The rlogind service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="uninstall_ypserv" ownerid="RHEL-06-000220" disa="381" severity="medium"> + <VMSinfo VKey="38603" SVKey="50404" VRelease="1" /> <title>The ypserv package must not be installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_ypbind" ownerid="RHEL-06-000221" disa="382" severity="medium"> + <VMSinfo VKey="38604" SVKey="50405" VRelease="2" /> <title>The ypbind service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="uninstall_tftp-server" ownerid="RHEL-06-000222" disa="381" severity="medium"> + <VMSinfo VKey="38606" SVKey="50407" VRelease="1" /> <title>The tftp-server package must not be installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_tftp" ownerid="RHEL-06-000223" disa="1436" severity="medium"> + <VMSinfo VKey="38609" SVKey="50410" VRelease="2" /> <title>The TFTP service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="service_crond_enabled" ownerid="RHEL-06-000224" disa="366" severity="medium"> + <VMSinfo VKey="38605" SVKey="50406" VRelease="2" /> <title>The cron service must be running.</title> </overlay> <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-06-000227" disa="774" severity="high"> + <VMSinfo VKey="38607" SVKey="50408" VRelease="1" /> <title>The SSH daemon must be configured to use only the SSHv2 protocol.</title> </overlay> <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-06-000230" disa="1133" severity="low"> + <VMSinfo VKey="38608" SVKey="50409" VRelease="1" /> <title>The SSH daemon must set a timeout interval on idle sessions.</title> </overlay> <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="RHEL-06-000231" disa="879" severity="low"> + <VMSinfo VKey="38610" SVKey="50411" VRelease="1" /> <title>The SSH daemon must set a timeout count on idle sessions.</title> </overlay> <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-06-000234" disa="766" severity="medium"> + <VMSinfo VKey="38611" SVKey="50412" VRelease="1" /> <title>The SSH daemon must ignore .rhosts files.</title> </overlay> <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-06-000235" disa="765" severity="medium"> <title>The SSH daemon must not allow host-based authentication.</title> </overlay> <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-06-000236" disa="766" severity="medium"> + <VMSinfo VKey="38612" SVKey="50413" VRelease="1" /> <title>The SSH daemon must not allow host-based authentication.</title> </overlay> <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-06-000237" disa="770" severity="medium"> + <VMSinfo VKey="38613" SVKey="50414" VRelease="1" /> <title>The system must not permit root logins using remote access programs such as ssh.</title> </overlay> <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-06-000239" disa="766" severity="high"> + <VMSinfo VKey="38614" SVKey="50415" VRelease="1" /> <title>The SSH daemon must not allow authentication using an empty password.</title> </overlay> <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-06-000240" disa="48" severity="medium"> + <VMSinfo VKey="38615" SVKey="50416" VRelease="1" /> <title>The SSH daemon must be configured with the Department of Defense (DoD) login banner.</title> </overlay> <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-06-000241" disa="1414" severity="low"> + <VMSinfo VKey="38616" SVKey="50417" VRelease="1" /> <title>The SSH daemon must not permit user environment settings.</title> </overlay> <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-06-000243" disa="1144" severity="medium"> + <VMSinfo VKey="38617" SVKey="50418" VRelease="1" /> <title>The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.</title> </overlay> <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-06-000244" disa="1145" severity="medium"> @@ -523,144 +674,189 @@ <title>The operating system must employ NSA-approved cryptography to protect classified information.</title> </overlay> <overlay owner="disastig" ruleid="disable_avahi" ownerid="RHEL-06-000246" disa="366" severity="low"> + <VMSinfo VKey="38618" SVKey="50419" VRelease="2" /> <title>The avahi service must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="service_ntpd_enabled" ownerid="RHEL-06-000247" disa="160" severity="medium"> + <VMSinfo VKey="38620" SVKey="50421" VRelease="1" /> <title>The system clock must be synchronized continuously, or at least daily.</title> </overlay> <overlay owner="disastig" ruleid="ntpd_specify_remote_server" ownerid="RHEL-06-000248" disa="160" severity="medium"> + <VMSinfo VKey="38621" SVKey="50422" VRelease="1" /> <title>The system clock must be synchronized to an authoritative DoD time source.</title> </overlay> <overlay owner="disastig" ruleid="postfix_network_listening" ownerid="RHEL-06-000249" disa="382" severity="medium"> + <VMSinfo VKey="38622" SVKey="50423" VRelease="1" /> <title>Mail relaying must be restricted.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000251" disa="778" severity="medium"> <title>The operating system must uniquely identify and authenticate an organization defined list of specific devices and/or types of devices before establishing a connection.</title> </overlay> <overlay owner="disastig" ruleid="ldap_client_start_tls" ownerid="RHEL-06-000252" disa="1453" severity="medium"> + <VMSinfo VKey="38625" SVKey="50426" VRelease="1" /> <title>If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.</title> </overlay> <overlay owner="disastig" ruleid="ldap_client_tls_cacertpath" ownerid="RHEL-06-000253" disa="776" severity="medium"> + <VMSinfo VKey="38626" SVKey="50427" VRelease="1" /> <title>The LDAP client must use a TLS connection using trust certificates signed by the site CA.</title> </overlay> <overlay owner="disastig" ruleid="package_openldap-servers_removed" ownerid="RHEL-06-000256" disa="366" severity="low"> + <VMSinfo VKey="38627" SVKey="50428" VRelease="1" /> <title>The openldap-servers package must not be installed unless required.</title> </overlay> <overlay owner="disastig" ruleid="set_screensaver_inactivity_timeout" ownerid="RHEL-06-000257" disa="57" severity="medium"> + <VMSinfo VKey="38629" SVKey="50430" VRelease="2" /> <title>The graphical desktop environment must set the idle timeout to no more than 15 minutes.</title> </overlay> <overlay owner="disastig" ruleid="enable_screensaver_after_idle" ownerid="RHEL-06-000258" disa="57" severity="medium"> + <VMSinfo VKey="38630" SVKey="50431" VRelease="2" /> <title>The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment.</title> </overlay> <overlay owner="disastig" ruleid="enable_screensaver_password_lock" ownerid="RHEL-06-000259" disa="57" severity="medium"> + <VMSinfo VKey="38638" SVKey="50439" VRelease="2" /> <title>The graphical desktop environment must have automatic lock enabled.</title> </overlay> <overlay owner="disastig" ruleid="set_blank_screensaver" ownerid="RHEL-06-000260" disa="60" severity="low"> + <VMSinfo VKey="38639" SVKey="50440" VRelease="2" /> <title>The system must display a publicly-viewable pattern during a graphical desktop environment session lock.</title> </overlay> <overlay owner="disastig" ruleid="service_abrtd_disabled" ownerid="RHEL-06-000261" disa="382" severity="low"> + <VMSinfo VKey="38640" SVKey="50441" VRelease="2" /> <title>The Automatic Bug Reporting Tool (abrtd) service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="service_atd_disabled" ownerid="RHEL-06-000262" disa="382" severity="low"> + <VMSinfo VKey="38641" SVKey="50442" VRelease="2" /> <title>The atd service must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-06-000263" disa="1250" severity="low"> <title>Automated file system mounting tools must not be enabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="service_ntpdate_disabled" ownerid="RHEL-06-000265" disa="382" severity="low"> + <VMSinfo VKey="38644" SVKey="50445" VRelease="2" /> <title>The ntpdate service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="service_oddjobd_disabled" ownerid="RHEL-06-000266" disa="382" severity="low"> + <VMSinfo VKey="38646" SVKey="50447" VRelease="2" /> <title>The oddjobd service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="service_qpidd_disabled" ownerid="RHEL-06-000267" disa="382" severity="low"> + <VMSinfo VKey="38648" SVKey="50449" VRelease="2" /> <title>The qpidd service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="service_rdisc_disabled" ownerid="RHEL-06-000268" disa="382" severity="low"> + <VMSinfo VKey="38650" SVKey="50451" VRelease="2" /> <title>The rdisc service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="use_nodev_option_on_nfs_mounts" ownerid="RHEL-06-000269" disa="366" severity="medium"> + <VMSinfo VKey="38652" SVKey="50453" VRelease="1" /> <title>Remote file systems must be mounted with the "nodev" option.</title> </overlay> <overlay owner="disastig" ruleid="use_nosuid_option_on_nfs_mounts" ownerid="RHEL-06-000270" disa="366" severity="medium"> + <VMSinfo VKey="38654" SVKey="50455" VRelease="1" /> <title>Remote file systems must be mounted with the "nosuid" option.</title> </overlay> <overlay owner="disastig" ruleid="mountopt_noexec_on_removable_partitions" ownerid="RHEL-06-000271" disa="87" severity="low"> + <VMSinfo VKey="38655" SVKey="50456" VRelease="1" /> <title>The noexec option must be added to removable media partitions.</title> </overlay> <overlay owner="disastig" ruleid="require_smb_client_signing" ownerid="RHEL-06-000272" disa="366" severity="low"> + <VMSinfo VKey="38656" SVKey="50457" VRelease="1" /> <title>The system must use SMB client signing for connecting to samba servers using smbclient.</title> </overlay> <overlay owner="disastig" ruleid="require_smb_client_signing_mount.cifs" ownerid="RHEL-06-000273" disa="366" severity="low"> + <VMSinfo VKey="38657" SVKey="50458" VRelease="1" /> <title>The system must use SMB client signing for connecting to samba servers using mount.cifs.</title> </overlay> <overlay owner="disastig" ruleid="accounts_password_reuse_limit" ownerid="RHEL-06-000274" disa="200" severity="medium"> + <VMSinfo VKey="38658" SVKey="50459" VRelease="1" /> <title>The system must prohibit the reuse of passwords within twenty-four iterations.</title> </overlay> <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="RHEL-06-000275" disa="1019" severity="low"> + <VMSinfo VKey="38659" SVKey="50460" VRelease="1" /> <title>The operating system must employ cryptographic mechanisms to protect information in storage.</title> </overlay> <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="RHEL-06-000276" disa="1199" severity="low"> + <VMSinfo VKey="38661" SVKey="50462" VRelease="1" /> <title>The operating system must protect the confidentiality and integrity of data at rest. </title> </overlay> <overlay owner="disastig" ruleid="encrypt_partitions" ownerid="RHEL-06-000277" disa="1200" severity="low"> + <VMSinfo VKey="38662" SVKey="50463" VRelease="1" /> <title>The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000278" disa="1493" severity="medium"> + <VMSinfo VKey="38663" SVKey="50464" VRelease="1" /> <title>The system package management tool must verify permissions on all files and directories associated with the "audit" package.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000279" disa="1494" severity="medium"> + <VMSinfo VKey="38664" SVKey="50465" VRelease="1" /> <title>The system package management tool must verify ownership on all files and directories associated with the "audit" package.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000280" disa="1495" severity="medium"> + <VMSinfo VKey="38665" SVKey="50466" VRelease="1" /> <title>The system package management tool must verify group-ownership on all files and directories associated with the "audit" package.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000281" disa="1496" severity="medium"> + <VMSinfo VKey="38637" SVKey="50438" VRelease="2" /> <title>The system package management tool must verify contents of all files associated with the audit package.</title> </overlay> <overlay owner="disastig" ruleid="world_writeable_files" ownerid="RHEL-06-000282" disa="366" severity="medium"> + <VMSinfo VKey="38643" SVKey="50444" VRelease="2" /> <title>There must be no world-writable files on the system.</title> </overlay> <overlay owner="disastig" ruleid="install_antivirus" ownerid="RHEL-06-000284" disa="1668" severity="high"> + <VMSinfo VKey="38666" SVKey="50467" VRelease="1" /> <title>The system must use and update a DoD-approved virus scan program.</title> </overlay> <overlay owner="disastig" ruleid="install_hids" ownerid="RHEL-06-000285" disa="1263" severity="medium"> + <VMSinfo VKey="38667" SVKey="50468" VRelease="1" /> <title>The system must have a host-based intrusion detection tool installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-06-000286" disa="366" severity="high"> + <VMSinfo VKey="38668" SVKey="50469" VRelease="1" /> <title>The x86 Ctrl-Alt-Delete key sequence must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="service_postfix_enabled" ownerid="RHEL-06-000287" disa="366" severity="low"> + <VMSinfo VKey="38669" SVKey="50470" VRelease="1" /> <title>The postfix service must be enabled for mail delivery.</title> </overlay> <overlay owner="disastig" ruleid="package_sendmail_removed" ownerid="RHEL-06-000288" disa="366" severity="medium"> + <VMSinfo VKey="38671" SVKey="50472" VRelease="1" /> <title>The sendmail package must be removed.</title> </overlay> <overlay owner="disastig" ruleid="service_netconsole_disabled" ownerid="RHEL-06-000289" disa="382" severity="low"> + <VMSinfo VKey="38672" SVKey="50473" VRelease="2" /> <title>The netconsole service must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="disable_xwindows_with_runlevel" ownerid="RHEL-06-000290" disa="1436" severity="medium"> + <VMSinfo VKey="38674" SVKey="50475" VRelease="1" /> <title>X Windows must not be enabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="packagegroup_xwindows_remove" ownerid="RHEL-06-000291" disa="366" severity="low"> + <VMSinfo VKey="38676" SVKey="50477" VRelease="1" /> <title>The xorg-x11-server-common (X Windows) package must not be installed, unless required.</title> </overlay> <overlay owner="disastig" ruleid="disable_dhcp_client" ownerid="RHEL-06-000292" disa="366" severity="medium"> + <VMSinfo VKey="38679" SVKey="50480" VRelease="1" /> <title>The DHCP client must be disabled if not needed.</title> </overlay> <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-06-000294" disa="366" severity="low"> + <VMSinfo VKey="38681" SVKey="50482" VRelease="1" /> <title>All GIDs referenced in /etc/passwd must be defined in /etc/group</title> </overlay> <overlay owner="disastig" ruleid="account_unique_name" ownerid="RHEL-06-000296" disa="804" severity="low"> + <VMSinfo VKey="38683" SVKey="50484" VRelease="1" /> <title>All accounts on the system must have unique user or account names</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000297" disa="16" severity="low"> + <VMSinfo VKey="38685" SVKey="50486" VRelease="1" /> <title>Temporary accounts must be provisioned with an expiration date.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000298" disa="1682" severity="low"> + <VMSinfo VKey="38690" SVKey="50491" VRelease="1" /> <title>Emergency accounts must be provisioned with an expiration date.</title> </overlay> <overlay owner="disastig" ruleid="password_require_consecrepeat" ownerid="RHEL-06-000299" disa="366" severity="low"> + <VMSinfo VKey="38693" SVKey="50494" VRelease="1" /> <title>The system must require passwords to contain no more than three consecutive repeating characters.</title> </overlay> <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-06-000300" disa="224" severity="low"> @@ -670,111 +866,146 @@ <title>All files must be owned by a group.</title> </overlay> <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-06-000302" disa="374" severity="medium"> + <VMSinfo VKey="38695" SVKey="50496" VRelease="1" /> <title>A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.</title> </overlay> <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-06-000303" disa="416" severity="medium"> + <VMSinfo VKey="38696" SVKey="50497" VRelease="1" /> <title>The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.</title> </overlay> <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-06-000304" disa="1069" severity="medium"> + <VMSinfo VKey="38698" SVKey="50499" VRelease="1" /> <title>The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.</title> </overlay> <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-06-000305" disa="1263" severity="medium"> + <VMSinfo VKey="38700" SVKey="50501" VRelease="1" /> <title>The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. </title> </overlay> <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-06-000306" disa="1297" severity="medium"> + <VMSinfo VKey="38670" SVKey="50471" VRelease="1" /> <title>The operating system must detect unauthorized changes to software and information. </title> </overlay> <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-06-000307" disa="1589" severity="medium"> + <VMSinfo VKey="38673" SVKey="50474" VRelease="1" /> <title>The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.</title> </overlay> <overlay owner="disastig" ruleid="disable_users_coredumps" ownerid="RHEL-06-000308" disa="366" severity="low"> + <VMSinfo VKey="38675" SVKey="50476" VRelease="1" /> <title>Process core dumps must be disabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="no_insecure_locks_exports" ownerid="RHEL-06-000309" disa="764" severity="high"> + <VMSinfo VKey="38677" SVKey="50478" VRelease="1" /> <title>The NFS server must not have the insecure file locking option enabled.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-06-000311" disa="143" severity="medium"> + <VMSinfo VKey="38678" SVKey="50479" VRelease="1" /> <title>The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-06-000313" disa="139" severity="medium"> + <VMSinfo VKey="38680" SVKey="50481" VRelease="1" /> <title>The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_bluetooth_disabled" ownerid="RHEL-06-000315" disa="85" severity="medium"> + <VMSinfo VKey="38682" SVKey="50483" VRelease="1" /> <title>The Bluetooth kernel module must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000317" disa="1250" severity="medium"> <title>The system must have USB Mass Storage disabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-06-000319" disa="54" severity="low"> + <VMSinfo VKey="38684" SVKey="50485" VRelease="1" /> <title>The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.</title> </overlay> <overlay owner="disastig" ruleid="set_iptables_default_rule_forward" ownerid="RHEL-06-000320" disa="1109" severity="medium"> + <VMSinfo VKey="38686" SVKey="50487" VRelease="1" /> <title>The system's local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.</title> </overlay> <overlay owner="disastig" ruleid="install_openswan" ownerid="RHEL-06-000321" disa="1130" severity="low"> + <VMSinfo VKey="38687" SVKey="50488" VRelease="1" /> <title>The system must provide VPN connectivity for communications over untrusted networks.</title> </overlay> <overlay owner="disastig" ruleid="enable_gdm_login_banner" ownerid="RHEL-06-000324" disa="50" severity="medium"> + <VMSinfo VKey="38688" SVKey="50489" VRelease="2" /> <title>A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.</title> </overlay> <overlay owner="disastig" ruleid="set_gdm_login_banner_text" ownerid="RHEL-06-000326" disa="1384, 1385, 1386, 1387, 1388" severity="medium"> + <VMSinfo VKey="38689" SVKey="50490" VRelease="2" /> <title>The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.</title> </overlay> <overlay owner="disastig" ruleid="service_bluetooth_disabled" ownerid="RHEL-06-000331" disa="85" severity="medium"> + <VMSinfo VKey="38691" SVKey="50492" VRelease="1" /> <title>The Bluetooth service must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-06-000334" disa="17" severity="low"> + <VMSinfo VKey="38692" SVKey="50493" VRelease="1" /> <title>Accounts must be locked upon 35 days of inactivity.</title> </overlay> <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-06-000335" disa="795" severity="low"> + <VMSinfo VKey="38694" SVKey="50495" VRelease="1" /> <title>The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.</title> </overlay> <overlay owner="disastig" ruleid="sticky_world_writable_dirs" ownerid="RHEL-06-000336" disa="366" severity="low"> + <VMSinfo VKey="38697" SVKey="50498" VRelease="2" /> <title>The sticky bit must be set on all public directories.</title> </overlay> <overlay owner="disastig" ruleid="world_writable_files_system_ownership" ownerid="RHEL-06-000337" disa="366" severity="low"> + <VMSinfo VKey="38699" SVKey="50500" VRelease="2" /> <title>All public directories must be owned by a system account.</title> </overlay> <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-06-000338" disa="366" severity="high"> + <VMSinfo VKey="38701" SVKey="50502" VRelease="1" /> <title>The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.</title> </overlay> <overlay owner="disastig" ruleid="ftp_log_transactions" ownerid="RHEL-06-000339" disa="130" severity="low"> + <VMSinfo VKey="38702" SVKey="50503" VRelease="1" /> <title>The FTP daemon must be configured for logging or verbose mode.</title> </overlay> <overlay owner="disastig" ruleid="snmpd_use_newer_protocol" ownerid="RHEL-06-000340" disa="366" severity="medium"> + <VMSinfo VKey="38660" SVKey="50461" VRelease="1" /> <title>The snmpd service must use only SNMP protocol version 3 or newer.</title> </overlay> <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-06-000341" disa="366" severity="high"> + <VMSinfo VKey="38653" SVKey="50454" VRelease="1" /> <title>The snmpd service must not use a default password.</title> </overlay> <overlay owner="disastig" ruleid="accounts_umask_bashrc" ownerid="RHEL-06-000342" disa="366" severity="low"> + <VMSinfo VKey="38651" SVKey="50452" VRelease="1" /> <title>The system default umask for the bash shell must be 077.</title> </overlay> <overlay owner="disastig" ruleid="accounts_umask_cshrc" ownerid="RHEL-06-000343" disa="366" severity="low"> + <VMSinfo VKey="38649" SVKey="50450" VRelease="1" /> <title>The system default umask for the csh shell must be 077.</title> </overlay> <overlay owner="disastig" ruleid="accounts_umask_etc_profile" ownerid="RHEL-06-000344" disa="366" severity="low"> + <VMSinfo VKey="38647" SVKey="50448" VRelease="1" /> <title>The system default umask in /etc/profile must be 077.</title> </overlay> <overlay owner="disastig" ruleid="accounts_umask_login_defs" ownerid="RHEL-06-000345" disa="366" severity="low"> + <VMSinfo VKey="38645" SVKey="50446" VRelease="1" /> <title>The system default umask in /etc/login.defs must be 077.</title> </overlay> <overlay owner="disastig" ruleid="umask_for_daemons" ownerid="RHEL-06-000346" disa="366" severity="low"> + <VMSinfo VKey="38642" SVKey="50443" VRelease="1" /> <title>The system default umask for daemons must be 027 or 022.</title> </overlay> <overlay owner="disastig" ruleid="no_netrc_files" ownerid="RHEL-06-000347" disa="196" severity="medium"> + <VMSinfo VKey="38619" SVKey="50420" VRelease="1" /> <title>There must be no .netrc files on the system.</title> </overlay> <overlay owner="disastig" ruleid="ftp_present_banner" ownerid="RHEL-06-000348" disa="48" severity="medium"> + <VMSinfo VKey="38599" SVKey="50400" VRelease="1" /> <title>The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.</title> </overlay> <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-06-000349" disa="765" severity="medium"> + <VMSinfo VKey="38595" SVKey="50396" VRelease="1" /> <title>The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.</title> </overlay> <overlay owner="disastig" ruleid="deny_password_attempts_unlock_time" ownerid="RHEL-06-000356" disa="47" severity="medium"> + <VMSinfo VKey="38592" SVKey="50393" VRelease="1" /> <title>The system must require administrator action to unlock an account locked by excessive failed login attempts.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium"> + <VMSinfo VKey="38501" SVKey="50302" VRelease="2" /> <title>The system must disable accounts after excessive login failures within a 15-minute interval.</title> </overlay> <overlay owner="disastig" ruleid="unselected" ownerid="RHEL-06-000359" disa="20" severity="medium"> @@ -823,12 +1054,15 @@ <title>The operating system must use internal system clocks to generate time stamps for audit records.</title> </overlay> <overlay owner="disastig" ruleid="audit_logs_permissions" ownerid="RHEL-06-000383" disa="163" severity="medium"> + <VMSinfo VKey="38498" SVKey="50299" VRelease="1" /> <title>Audit log files must have mode 0640 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="audit_logs_rootowner" ownerid="RHEL-06-000384" disa="162" severity="medium"> + <VMSinfo VKey="38495" SVKey="50296" VRelease="1" /> <title>Audit log files must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000385" disa="164" severity="medium"> + <VMSinfo VKey="38493" SVKey="50294" VRelease="1" /> <title>Audit log directories must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="met_inherently_generic" ownerid="RHEL-06-000387" disa="171" severity="medium"> @@ -994,30 +1228,39 @@ <title>The operating system must respond to security function anomalies in accordance with organization defined responses and alternative action(s).</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000503" disa="86" severity="medium"> + <VMSinfo VKey="38490" SVKey="50291" VRelease="1" /> <title>The system must have USB Mass Storage disabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000504" disa="535" severity="medium"> + <VMSinfo VKey="38488" SVKey="50289" VRelease="1" /> <title>The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000505" disa="537" severity="medium"> + <VMSinfo VKey="38486" SVKey="50287" VRelease="1" /> <title>The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000506" disa="52" severity="medium"> + <VMSinfo VKey="38485" SVKey="50286" VRelease="1" /> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon or access via a local console or tty.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000507" disa="52" severity="medium"> + <VMSinfo VKey="38484" SVKey="50285" VRelease="1" /> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000508" disa="58" severity="low"> + <VMSinfo VKey="38474" SVKey="50274" VRelease="1" /> <title>The system must allow locking of graphical desktop sessions.</title> </overlay> <overlay owner="disastig" ruleid="configure_auditd_audispd" ownerid="RHEL-06-000509" disa="136" severity="low"> + <VMSinfo VKey="38471" SVKey="50271" VRelease="1" /> <title>The system must forward audit records to the syslog service.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000510" disa="140" severity="medium"> + <VMSinfo VKey="38468" SVKey="50268" VRelease="1" /> <title>The audit system must take appropriate action when the audit storage volume is full.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000511" disa="140" severity="medium"> + <VMSinfo VKey="38464" SVKey="50264" VRelease="1" /> <title>The audit system must take appropriate action when there are disk errors on the audit storage volume.</title> </overlay> <overlay owner="disastig" ruleid="unmet_finding_nonselected" ownerid="RHEL-06-000512" disa="144" severity="medium"> @@ -1027,39 +1270,51 @@ <title>The audit system must alert designated staff members when audit storage volume is generating disk errors.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000514" disa="352" severity="high"> + <VMSinfo VKey="38462" SVKey="50262" VRelease="1" /> <title>The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000515" disa="764" severity="low"> + <VMSinfo VKey="38460" SVKey="50260" VRelease="1" /> <title>The NFS server must not have the all_squash option enabled.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000516" disa="366" severity="low"> + <VMSinfo VKey="38454" SVKey="50254" VRelease="1" /> <title>The system package management tool must verify ownership on all files and directories associated with packages.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000517" disa="366" severity="low"> + <VMSinfo VKey="38453" SVKey="50253" VRelease="1" /> <title>The system package management tool must verify group-ownership on all files and directories associated with packages.</title> </overlay> <overlay owner="disastig" ruleid="rpm_verify_permissions" ownerid="RHEL-06-000518" disa="366" severity="low"> + <VMSinfo VKey="38452" SVKey="50252" VRelease="1" /> <title>The system package management tool must verify permissions on all files and directories associated with packages.</title> </overlay> <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-06-000519" disa="366" severity="low"> + <VMSinfo VKey="38447" SVKey="50247" VRelease="2" /> <title>The system package management tool must verify contents of all files associated with packages.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000521" disa="366" severity="medium"> + <VMSinfo VKey="38446" SVKey="50246" VRelease="1" /> <title>The mail system must forward all mail for root to one or more system administrators.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000522" disa="162" severity="medium"> + <VMSinfo VKey="38445" SVKey="50245" VRelease="1" /> <title>Audit log files must be group-owned by root.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000523" disa="66" severity="medium"> + <VMSinfo VKey="38444" SVKey="50244" VRelease="1" /> <title>The system's local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000524" disa="15" severity="low"> + <VMSinfo VKey="38439" SVKey="50239" VRelease="1" /> <title>The system must provide automated support for account management functions.</title> </overlay> <overlay owner="disastig" ruleid="enable_auditd_bootloader" ownerid="RHEL-06-000525" disa="169" severity="low"> + <VMSinfo VKey="38438" SVKey="50238" VRelease="1" /> <title>Auditing must be enabled at boot by setting a kernel parameter.</title> </overlay> <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-06-000526" disa="366" severity="low"> + <VMSinfo VKey="38437" SVKey="50237" VRelease="1" /> <title>Automated file system mounting tools must not be enabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="unmet_nonfinding_scope" ownerid="SRG-OS-000006-NA" disa="21" severity="medium"> -- 1.7.1

2 2

[PATCH 2/3] fix type mismatch
by Steinke, Leland J Sr CTR DISA DD (US) 18 Nov '13

18 Nov '13

Fixed an apparent type mismatch for the Value "inactivity_timeout_value". Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr(a)mail.mil (gov't) lsteinke(a)tapestrytech.com (com'l) --- RHEL6/input/system/accounts/physical.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index ead411a..e0bc55d 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -238,7 +238,7 @@ enforcing preferences in the GNOME environment using the GConf configuration system, see http://projects.gnome.org/gconf and the man page <tt>gconftool-2(1)</tt>.</description> -<Value id="inactivity_timeout_value" type="string" operator="equals"> +<Value id="inactivity_timeout_value" type="number" operator="equals"> <title>Inactivity timeout</title> <description>Choose allowed duration of inactive SSH connections, shells, and X sessions</description> <value>15</value> -- 1.7.1

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide November 2013