This continues the effort to document how the guidance or product satisfies (or does not satisfy) requirements from the OS SRG. Thanks to DISA FSO for this feedback/patches.
Jeffrey Blank (4): improved checks and text so that unlabeled devices are recursively sought added new Rule for temporary account expiration, also to stig profile SRG mapping fixups per FSO, new alt-titles minor wording tweaks to account expiration, for consistency
RHEL6/input/auxiliary/alt-titles-stig.xml | 5 +++- RHEL6/input/auxiliary/srg_support.xml | 2 +- .../checks/selinux_all_devicefiles_labeled.xml | 1 + RHEL6/input/profiles/stig-rhel6-server.xml | 1 + .../accounts/restrictions/account_expiration.xml | 29 ++++++++++++++++++- RHEL6/input/system/network/iptables.xml | 2 +- RHEL6/input/system/selinux.xml | 2 +- 7 files changed, 36 insertions(+), 6 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- .../checks/selinux_all_devicefiles_labeled.xml | 1 + RHEL6/input/system/selinux.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml b/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml index c1acd8c..affef3d 100644 --- a/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml +++ b/RHEL6/input/checks/selinux_all_devicefiles_labeled.xml @@ -16,6 +16,7 @@ <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> </linux:selinuxsecuritycontext_test> <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1"> + <linux:behaviors recurse_direction="down" /> linux:path/dev</linux:path> <linux:filename operation="pattern match">^.*$</linux:filename> <filter action="include">state_selinux_all_devicefiles_labeled</filter> diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index 4ac37b3..543f3a9 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -236,7 +236,7 @@ files carry the SELinux type <tt>unlabeled_t</tt>, investigate the cause and correct the file's context. </description> <ocil clause="there is output">To check for unlabeled device files, run the following command: -<pre># ls -Z /dev | grep unlabeled_t</pre> +<pre># ls -RZ /dev | grep unlabeled_t</pre> It should produce no output in a well-configured system.</ocil> <rationale> If a device file carries the SELinux type <tt>unlabeled_t</tt>, then SELinux
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/profiles/stig-rhel6-server.xml | 1 + .../accounts/restrictions/account_expiration.xml | 28 ++++++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index f5b8d6f..af213d3 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -26,6 +26,7 @@
<select idref="gid_passwd_group_same" selected="true"/> <select idref="account_unique_name" selected="true"/> +<select idref="account_temp_expire_date" selected="true"/>
<select idref="password_require_consecrepeat" selected="true"/>
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 2e8c8f4..ee213d5 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -62,7 +62,7 @@ who may have compromised their credentials. </Rule>
<Rule id="account_unique_name"> -<title>All Accounts on the System Must Have Unique User or Account Names</title> +<title>Ensure All Accounts on the System Have Unique Names</title> <description> Change usernames, or delete accounts, so each has a unique name. </description> @@ -72,9 +72,33 @@ Run the following command to check for duplicate account names: If there are no duplicate names, no line will be returned. </ocil> <rationale> -Unique usernames allow for accountability on the system. +Unique usernames allow for accountability on the system. </rationale> <ref disa="770,804"/> </Rule>
+<Rule id="account_temp_expire_date"> +<title>Assign Expiration Date to Temporary Accounts</title> +<description> +In the event temporary or emergency accounts are required, configure the system +to terminate them after a documented time period. For every temporary and +emergency account, run the following command to set an expiration date on it: +<pre># chage -E <i>YYYY-MM-DD</i> <i>username of temporary or emergency account</i></pre> +<tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the account. +</description> +<ocil clause="any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame"> +Run the following command to obtain a list of all temporary and emergency +accounts on the system: +<pre># chage -l <i>username of temporary or emergency account</i></pre> +Verify each of these accounts has an expiration date set as documented. +</ocil> +<rationale> +When temporary and emergency accounts are created, there is a risk they may +remain in place and active after the need for them no longer exists. Account +expiration greatly reduces the risk of accounts being misused or hijacked. +<br/> +</rationale> +<ref disa="16,1682"/> +</Rule> + </Group>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/auxiliary/srg_support.xml | 2 +- RHEL6/input/system/network/iptables.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index b19b8d0..6386c76 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -134,7 +134,7 @@ application, policy, or service. This requirement is NA. <description> This requirement is NA. No fix is required. </description> -<ref disa="15,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" /> +<ref disa="15,27,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" /> </Rule>
diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index cf39f23..e07d953 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -75,7 +75,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" disa="66,1115,1118,1092,27,1117,1098,1100,1097,1414" /> +<ref nist="CM-6, CM-7" disa="32,66,1115,1118,1092,1117,1098,1100,1097,1414" /> <tested by="DS" on="20121024"/> </Rule> </Group><!--<Group id="iptables_activation">-->
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/auxiliary/alt-titles-stig.xml | 5 ++++- .../accounts/restrictions/account_expiration.xml | 11 ++++++----- 2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index 915bd1a..cf6e6a4 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -704,7 +704,7 @@ All files must be owned by a group. <title rule="gid_passwd_group_same" shorttitle="All GIDs referenced in /etc/passwd must be defined in /etc/group"> All GIDs referenced in /etc/passwd must be defined in /etc/group </title> -<title rule="account_unique_name" shorttitle="All Accounts on the System Must Have Unique User or Account Names"> +<title rule="account_unique_name" shorttitle="Ensure All Accounts on the System Have Unique Names"> All accounts on the system must have unique user or account names </title> <title rule="password_require_consecrepeat" shorttitle="Set Password to Maximum of Three Consecutive Repeating Characters"> @@ -749,4 +749,7 @@ The snmpd service must use only SNMP protocol version 3 or newer. <title rule="snmpd_not_default_password" shorttitle="Ensure Default Password Is Not Used"> The snmpd service must not use a default password. </title> +<title rule="expire_date_set" shorttitle="Assign Expiration Date to Temporary Accounts"> +Temporary and emergency accounts must be provisioned with an expiration date. +</title> </titles> diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index ee213d5..9b2ad28 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -82,14 +82,15 @@ Unique usernames allow for accountability on the system. <description> In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and -emergency account, run the following command to set an expiration date on it: -<pre># chage -E <i>YYYY-MM-DD</i> <i>username of temporary or emergency account</i></pre> +emergency account, run the following command to set an expiration date on it, +substituting <tt><i>USER</i></tt> and <tt><i>YYYY-MM-DD</i></tt> appropriately: +<pre># chage -E <i>YYYY-MM-DD USER</i></pre> <tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the account. </description> <ocil clause="any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame"> -Run the following command to obtain a list of all temporary and emergency -accounts on the system: -<pre># chage -l <i>username of temporary or emergency account</i></pre> +For every temporary and emergency account, run the following command +to obtain its account aging and expiration information: +<pre># chage -l <i>USER</i></pre> Verify each of these accounts has an expiration date set as documented. </ocil> <rationale>
scap-security-guide@lists.fedorahosted.org