* trying to ensure that if a Rule is denoted as satisfying a CCI, that it is included in the STIG-server profile
Jeffrey Blank (4): added new Value for remembering 24 passwords * which increases number of hashes that can be harvested at any one time * and is apparently also some kind of policy requirement added DoD banner (with minor changes) from RHEL 5 STIG added Rules to the common and STIG-server Profiles to make them more complete * driven by addition of CCI references to Rules identified by verify-references.py deprecating Rules which call for deletion of kernel modules in favor of disabling them
RHEL6/input/profiles/STIG-server.xml | 26 ++++++++++++++++++++++++-- RHEL6/input/profiles/common.xml | 17 +++++++++++++++++ RHEL6/input/system/accounts/banners.xml | 7 +++++++ RHEL6/input/system/accounts/pam.xml | 6 +++++- RHEL6/input/system/network/wireless.xml | 4 ++-- RHEL6/input/system/permissions/mounting.xml | 4 +++- 6 files changed, 58 insertions(+), 6 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/system/accounts/pam.xml | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 5be75e2..97193d9 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -53,6 +53,7 @@ frequently.</description> <value selector="0">0</value> <value selector="5">5</value> <value selector="10">10</value> +<value selector="24">24</value> </Value>
<Group id="password_quality"> @@ -361,7 +362,10 @@ the password line which uses the <tt>pam_unix</tt> module in the file <tt>/etc/pam.d/system-auth</tt>, as shown: <pre>password sufficient pam_unix.so existing_options remember=<sub idref="password_history_retain_number" /></pre> Old (and thus no longer valid) passwords are stored in the -file <tt>/etc/security/opasswd</tt>.</description> +file <tt>/etc/security/opasswd</tt>. The DoD requirement is currently 24 passwords.</description> +<rationale> +Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. +</rationale> <ident cce="14939-3" /> <oval id="accounts_password_reuse_limit" value="password_history_retain_number" /> <ref nist="IA-5" disa="200" />
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/system/accounts/banners.xml | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml index b5ce8ed..3b0767f 100644 --- a/RHEL6/input/system/accounts/banners.xml +++ b/RHEL6/input/system/accounts/banners.xml @@ -25,6 +25,13 @@ be expressed by the '\n' character.</description> <value selector="usgcb_default"> -- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials. </value> +<value selector="dod_default">You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. +</value> </Value>
<Rule id="set_system_login_banner">
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/profiles/STIG-server.xml | 26 ++++++++++++++++++++++++-- RHEL6/input/profiles/common.xml | 17 +++++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 55bb934..08c8ddb 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -9,9 +9,31 @@ <select idref="no_files_unowned_by_user" selected="true"/> <select idref="aide_periodic_cron_checking" selected="true"/> <select idref="disable_users_coredumps" selected="true"/> +<select idref="no_insecure_locks_exports" selected="true" /> +<select idref="configure_auditd_space_left_action" selected="true" /> +<select idref="configure_auditd_action_mail_acct" selected="true" />
-<!-- Password history --> -<refine-value idref="password_history_retain_number" selector="5"/> +<select idref="kernel_module_bluetooth_disabled" selected="true"/> +<select idref="kernel_module_usb-storage_disabled" selected="true"/> + +<select idref="max_concurrent_login_sessions" selected="true"/> +<refine-value idref="max_concurrent_login_sessions_value" selector="10"/> + +<select idref="set_iptables_default_rule_forward" selected="true"/> + +<select idref="install_openswan" selected="true" /> +<select idref="enable_gdm_login_banner" selected="true" /> + +<select idref="set_gdm_login_banner_text" selected="true" /> +<refine-value idref="login_banner_text" selector="dod_default"/> + +<select idref="service_bluetooth_disabled" selected="true" /> +<select idref="account_disable_post_pw_expiration" selected="true" /> + +<select idref="ftp_present_banner" selected="true" /> + +<!-- from inherited Rule, limiting_password_reuse --> +<refine-value idref="password_history_retain_number" selector="24"/>
<refine-value idref="var_password_max_age" selector="60"/> </Profile> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 6d77abc..cf96a35 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -164,6 +164,23 @@ these should likely be moved out of common. <select idref="service_rpcbind_disabled" selected="true"/>--> <select idref="service_nfs_disabled" selected="true"/> <select idref="service_rpcsvcgssd_disabled" selected="true"/> + +<select idref="set_screensaver_inactivity_timeout" selected="true"/> +<refine-value idref="inactivity_timeout_value" selector="15"/> + +<select idref="enable_screensaver_after_idle" selected="true"/> +<select idref="enable_screensaver_password_lock" selected="true"/> +<select idref="set_blank_screensaver" selected="true"/> + +<select idref="service_abrtd_disabled" selected="true"/> +<select idref="service_atd_disabled" selected="true"/> +<select idref="service_autofs_disabled" selected="true"/> +<select idref="service_ntpdate_disabled" selected="true"/> +<select idref="service_oddjobd_disabled" selected="true"/> +<select idref="service_qpidd_disabled" selected="true"/> +<select idref="service_rdisc_disabled" selected="true"/> +<select idref="service_sysstat_disabled" selected="true"/> + <select idref="use_nodev_option_on_nfs_mounts" selected="true"/> <select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> <select idref="disable_dns_server" selected="true"/>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/system/network/wireless.xml | 4 ++-- RHEL6/input/system/permissions/mounting.xml | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index f386a36..689fe69 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -67,7 +67,7 @@ protocols which were not designed with security in mind. <oval id="wireless_disable_interfaces" /> <ref nist="CM-7" disa="85" /> </Rule> - +<!-- <Rule id="wireless_disable_drivers"> <title>Disable Wireless Network Drivers</title> <description>Removing the kernel drivers that provide support for wireless @@ -84,7 +84,7 @@ the need to install such a driver first. <oval id="wireless_disable_drivers" /> <ref nist="CM-7" disa="85" /> </Rule> - +--> <Rule id="service_bluetooth_disabled"> <title>Disable Bluetooth Service</title> <description> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index ed270ed..6dc1fbc 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -59,6 +59,7 @@ the devices themselves should be tightly controlled.</rationale> <oval id="kernel_module_usb-storage_disabled" /> <ref nist="CM-6, CM-7" disa="1250,85" /> </Rule> +<!-- Considering removal of this entirely, in favor of previous Rule
<Rule id="kernel_module_usb-storage_removed"> <title>Remove USB Storage Driver</title> @@ -66,7 +67,7 @@ the devices themselves should be tightly controlled.</rationale> supporting driver can be permanently removed. Though more effective than disabling the module within modprobe, this solution is less elegant than the modprobe method described in "Disable Modprobe Loading of USB". The technique described here will cause the -command <tt>rpm -q --verify kernel</tt> to fail which may be an undesirable side effect. +command <tt>rpm -V kernel</tt> to fail which may be an undesirable side effect. <br /><br /> To permanently remove the USB storage driver from the system execute this command: <pre># rm /lib/modules/<i>KERNEL-VERSION</i>/kernel/drivers/usb/storage/usb-storage.ko</pre> @@ -80,6 +81,7 @@ the devices themselves should be tightly controlled.</rationale> <oval id="kernel_module_usb-storage_removed" /> <ref nist="CM-6, CM-7" disa="1250,85" /> </Rule> +-->
<Rule id="bootloader_nousb_argument"> <title>Disable Kernel Support for USB via Bootloader Configuration</title>
Ack to the set.
On 07/30/2012 07:02 PM, Jeffrey Blank wrote:
- trying to ensure that if a Rule is denoted as satisfying a CCI, that it is included in the STIG-server profile
Jeffrey Blank (4): added new Value for remembering 24 passwords * which increases number of hashes that can be harvested at any one time * and is apparently also some kind of policy requirement added DoD banner (with minor changes) from RHEL 5 STIG added Rules to the common and STIG-server Profiles to make them more complete * driven by addition of CCI references to Rules identified by verify-references.py deprecating Rules which call for deletion of kernel modules in favor of disabling them
RHEL6/input/profiles/STIG-server.xml | 26 ++++++++++++++++++++++++-- RHEL6/input/profiles/common.xml | 17 +++++++++++++++++ RHEL6/input/system/accounts/banners.xml | 7 +++++++ RHEL6/input/system/accounts/pam.xml | 6 +++++- RHEL6/input/system/network/wireless.xml | 4 ++-- RHEL6/input/system/permissions/mounting.xml | 4 +++- 6 files changed, 58 insertions(+), 6 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Maura Dailey