xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa

Guide to the Secure Configuration of Red Hat Enterprise Linux 7

with profile DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V1R1. In addition to being applicable to RHEL7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based off RHEL7, such as RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat Storage deployments.

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost.localdomain
Benchmark URL	/tmp/tmp.SG8LwApKGP/input.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-7
Profile ID	xccdf_org.ssgproject.content_profile_stig-rhel7-disa
Started at	2018-04-30T04:24:25
Finished at	2018-04-30T04:25:45
Performed by	admin

CPE Platforms

cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:7::client
cpe:/o:redhat:enterprise_linux:7::computenode

Addresses

IPv4 127.0.0.1
IPv4 192.168.122.111
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:5054:ff:fe1a:f531
MAC 00:00:00:00:00:00
MAC 52:54:00:1A:F5:31

Compliance and Scoring

The target system did not satisfy the conditions of 10 rules! Please review rule results and consider applying remediation.

Rule results

197 passed

10 failed

33 other

Severity of failed rules

0 other

2 low

4 medium

4 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	83.829300	100.000000	83.83%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 7 10x fail 33x notchecked
System Settings 7x fail 28x notchecked
Installing and Maintaining Software 3x fail 2x notchecked
Disk Partitioning
Ensure /tmp Located On Separate Partition	low	pass
Ensure /var Located On Separate Partition	low	pass
Ensure /var/log/audit Located On Separate Partition	low	pass
Ensure /home Located On Separate Partition	low	pass
Updating Software 1x fail 1x notchecked
Ensure gpgcheck Enabled In Main Yum Configuration	high	pass
Ensure Software Patches Installed	high	notchecked
Ensure YUM Removes Previous Package Versions	low	pass
Ensure gpgcheck Enabled for Local Packages	high	pass
Ensure gpgcheck Enabled for Repository Metadata	high	fail
System and Software Integrity 2x fail 1x notchecked
Software Integrity Checking
Verify Integrity with AIDE
Install AIDE	medium	pass
Configure Periodic Execution of AIDE	medium	pass
Configure Notification of Post-AIDE Scan Details	medium	pass
Configure AIDE to Verify Access Control Lists (ACLs)	medium	pass
Configure AIDE to Verify Extended Attributes	medium	pass
Configure AIDE to Use FIPS 140-2 for Validating Hashes	medium	pass
Verify Integrity with RPM
Verify and Correct File Permissions with RPM	high	pass
Verify and Correct Ownership with RPM	high	pass
Verify File Hashes with RPM	high	pass
Endpoint Protection Software 1x fail 1x notchecked
McAfee Endpoint Security Software 1x fail 1x notchecked
Install McAfee Virus Scanning Software	high	fail
Virus Scanning Software Definitions Are Updated	medium	notchecked
Federal Information Processing Standard (FIPS) 1x fail
Enable FIPS Mode in GRUB2	high	fail
Operating System Vendor Support and Certification
The Installed Operating System Is Vendor Supported and Certified	high	pass
GNOME Desktop Environment
Configure GNOME Login Screen
Disable GDM Automatic Login	high	pass
Disable GDM Guest Login	high	pass
Enable the GNOME3 Login Smartcard Authentication	medium	pass
Configure GNOME Screen Locking
Set GNOME3 Screensaver Inactivity Timeout	medium	pass
Enable GNOME3 Screensaver Idle Activation	medium	pass
Enable GNOME3 Screensaver Lock After Idle Period	medium	pass
Set GNOME3 Screensaver Lock Delay After Activation Period	medium	pass
Ensure Users Cannot Change GNOME3 Screensaver Settings	medium	pass
Ensure Users Cannot Change GNOME3 Session Idle Settings	medium	pass
Sudo
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD	medium	pass
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate	medium	pass
File Permissions and Masks
Restrict Partition Mount Options
Add nosuid Option to Removable Media Partitions	low	pass
Add nosuid Option to /home	low	pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Modprobe Loading of USB Storage Driver	medium	pass
Disable the Automounter	medium	pass
Verify Permissions on Important Files and Directories
Ensure All Files Are Owned by a User	medium	pass
Ensure All Files Are Owned by a Group	medium	pass
Ensure All World-Writable Directories Are Owned by a System Account	low	pass
Restrict Programs from Dangerous Execution Patterns
Enable ExecShield
Enable Randomized Layout of Virtual Address Space	medium	pass
SELinux 1x notchecked
Ensure SELinux State is Enforcing	high	pass
Configure SELinux Policy	high	pass
Ensure No Device Files are Unlabeled by SELinux	medium	pass
Map System Users To The Appropriate SELinux Role	medium	notchecked
Account and Access Control 1x fail 19x notchecked
Protect Accounts by Restricting Password-Based Login 2x notchecked
Restrict Root Logins
Verify Only Root Has UID 0	high	pass
Verify Proper Storage and Existence of Password Hashes
Prevent Log In to Accounts With Empty Password	high	pass
All GIDs referenced in /etc/passwd must be defined in /etc/group	low	pass
Set Password Expiration Parameters 2x notchecked
Set Password Minimum Age	medium	pass
Set Password Maximum Age	medium	pass
Set Existing Passwords Minimum Age	medium	notchecked
Set Existing Passwords Maximum Age	medium	notchecked
Set Account Expiration Parameters
Set Account Expiration Following Inactivity	medium	pass
Protect Accounts by Configuring PAM
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Set Password Retry Prompts Permitted Per-Session	low	pass
Set Password Maximum Consecutive Repeating Characters	medium	pass
Set Password to Maximum of Consecutive Repeating Characters from Same Character Class	medium	pass
Set Password Strength Minimum Digit Characters	medium	pass
Set Password Minimum Length	medium	pass
Set Password Strength Minimum Uppercase Characters	medium	pass
Set Password Strength Minimum Special Characters	medium	pass
Set Password Strength Minimum Lowercase Characters	medium	pass
Set Password Strength Minimum Different Characters	medium	pass
Set Password Strength Minimum Different Categories	medium	pass
Set Lockouts for Failed Password Attempts
Set Deny For Failed Password Attempts	medium	pass
Set Lockout Time For Failed Password Attempts	medium	pass
Configure the root Account for Failed Password Attempts	medium	pass
Set Interval For Counting Failed Password Attempts	medium	pass
Limit Password Reuse	medium	pass
Set Password Hashing Algorithm
Set PAM's Password Hashing Algorithm	medium	pass
Set Password Hashing Algorithm in /etc/login.defs	medium	pass
Set Password Hashing Algorithm in /etc/libuser.conf	medium	pass
Set Last Logon/Access Notification	low	pass
Secure Session Configuration Files for Login Accounts 14x notchecked
Ensure that Users Have Sensible Umask Values 1x notchecked
Ensure the Default Umask is Set Correctly in login.defs	low	pass
Ensure the Default Umask is Set Correctly For Interactive Users	medium	notchecked
Ensure Home Directories are Created for New Users	medium	pass
Set Interactive Session Timeout	medium	pass
Limit the Number of Concurrent Login Sessions Allowed Per User	low	pass
Ensure the Logon Failure Delay is Set Correctly in login.defs	low	pass
User Initialization Files Must Not Run World-Writable Programs	medium	notchecked
Ensure that Users Path Contains Only Local Directories	medium	notchecked
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive	medium	notchecked
User Initialization Files Must Be Group-Owned By The Primary User	medium	notchecked
User Initialization Files Must Be Owned By the Primary User	medium	notchecked
All Interactive Users Must Have A Home Directory Defined	medium	notchecked
All Interactive Users Home Directories Must Exist	medium	notchecked
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive	medium	notchecked
All Interactive User Home Directories Must Be Owned By The Primary User	medium	notchecked
All Interactive User Home Directories Must Be Group-Owned By The Primary User	medium	notchecked
All User Files and Directories In The Home Directory Must Be Owned By The Primary User	medium	notchecked
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User	medium	notchecked
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive	medium	notchecked
Protect Physical Console Access 1x fail 3x notchecked
Set Boot Loader Password 1x fail 1x notchecked
Set Boot Loader Password	high	fail
Set the UEFI Boot Loader Password	medium	pass
Boat Loader Is Not Installed On Removeable Media	medium	notchecked
Configure Screen Locking 2x notchecked
Configure Console Screen Locking
Install the screen Package	medium	pass
Hardware Tokens for Authentication 2x notchecked
Install Smart Card Packages For Multifactor Authentication	medium	notchecked
Configure Smart Card Certificate Status Checking	medium	notchecked
Enable Smart Card Login	medium	pass
Require Authentication for Single User Mode	medium	pass
Disable Ctrl-Alt-Del Reboot Activation	high	pass
Warning Banners for System Accesses
Implement a GUI Warning Banner
Enable GNOME3 Login Warning Banner	medium	pass
Set the GNOME3 Login Warning Banner Text	medium	pass
Modify the System Login Banner	medium	pass
Network Configuration and Firewalls 2x fail 2x notchecked
Kernel Parameters Which Affect Networking
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects by Default	medium	pass
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces	medium	pass
Disable Kernel Parameter for IP Forwarding	medium	pass
Network Related Kernel Runtime Parameters for Hosts and Routers
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces	medium	pass
Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces	medium	pass
Configure Kernel Parameter for Accepting Source-Routed Packets By Default	medium	pass
Configure Kernel Parameter for Accepting ICMP Redirects By Default	medium	pass
Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests	medium	pass
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfaces	low	pass
IPv6
Configure IPv6 Settings if Necessary
Disable Automatic Configuration
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces	medium	pass
firewalld 1x fail 1x notchecked
Inspect and Activate Default firewalld Rules
Verify firewalld Enabled	medium	pass
Strengthen the Default Ruleset 1x fail 1x notchecked
Set Default firewalld Zone for Incoming Packets	medium	fail
Configure firewalld To Rate Limit Connections	medium	notchecked
Configure the Firewalld Ports	medium	pass
Uncommon Network Protocols
Disable DCCP Support	medium	pass
IPSec Support 1x notchecked
Verify Any Configured IPSec Tunnel Connections	medium	notchecked
Configure Multiple DNS Servers in /etc/resolv.conf	low	fail
Ensure System is Not Acting as a Network Sniffer	medium	pass
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure cron Is Logging To Rsyslog	medium	pass
Rsyslog Logs Sent To Remote Host
Ensure Logs Sent To Remote Host	low	pass
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server	low	pass
System Accounting with auditd 1x fail 4x notchecked
Configure auditd Data Retention 4x notchecked
Configure auditd space_left Action on Low Disk Space	medium	pass
Configure auditd space_left on Low Disk Space	medium	pass
Configure auditd mail_acct Action on Low Disk Space	medium	pass
Configure audispd's Plugin network_failure_action On Network Failure	medium	notchecked
Configure audispd's Plugin disk_full_action When Disk Is Full	medium	notchecked
Encrypt Audit Records Sent With audispd Plugin	medium	notchecked
Configure audispd Plugin To Send Logs To Remote Server	medium	notchecked
Configure auditd Rules for Comprehensive Auditing 1x fail
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmod	low	pass
Record Events that Modify the System's Discretionary Access Controls - chown	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchmod	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchmodat	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchown	low	pass
Record Events that Modify the System's Discretionary Access Controls - fchownat	low	pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattr	low	pass
Record Events that Modify the System's Discretionary Access Controls - lchown	low	pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattr	low	pass
Record Events that Modify the System's Discretionary Access Controls - removexattr	medium	pass
Record Events that Modify the System's Discretionary Access Controls - setxattr	low	pass
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Logon and Logout Events - tallylog	medium	pass
Record Attempts to Alter Logon and Logout Events - faillock	medium	pass
Record Attempts to Alter Logon and Logout Events - lastlog	medium	pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unauthorized Access Attempts to Files (unsuccessful) - creat	medium	pass
Record Unauthorized Access Attempts to Files (unsuccessful) - open	medium	pass
Record Unauthorized Access Attempts to Files (unsuccessful) - openat	medium	pass
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at	medium	pass
Record Unauthorized Access Attempts to Files (unsuccessful) - truncate	medium	pass
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate	medium	pass
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run semanage	medium	pass
Record Any Attempts to Run setsebool	medium	pass
Record Any Attempts to Run chcon	medium	pass
Record Any Attempts to Run restorecon	medium	pass
Record Information on the Use of Privileged Commands 1x fail
Ensure auditd Collects Information on the Use of Privileged Commands	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - passwd	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - chage	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - su	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudo	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - chsh	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - umount	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - crontab	medium	pass
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check	medium	pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - rmdir	medium	pass
Ensure auditd Collects File Deletion Events by User - unlink	medium	pass
Ensure auditd Collects File Deletion Events by User - unlinkat	medium	pass
Ensure auditd Collects File Deletion Events by User - rename	medium	pass
Ensure auditd Collects File Deletion Events by User - renameat	medium	pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Loading - init_module	medium	pass
Ensure auditd Collects Information on Kernel Module Unloading - delete_module	medium	pass
Ensure auditd Collects Information on Kernel Module Loading - insmod	medium	pass
Ensure auditd Collects Information on Kernel Module Unloading - rmmod	medium	pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe	medium	pass
Shutdown System When Auditing Failures Occur	medium	pass
Record Events that Modify User/Group Information - /etc/group	medium	pass
Record Events that Modify User/Group Information - /etc/gshadow	medium	pass
Record Events that Modify User/Group Information - /etc/shadow	medium	pass
Record Events that Modify User/Group Information - /etc/passwd	medium	pass
Record Events that Modify User/Group Information - /etc/security/opasswd	medium	pass
Ensure auditd Collects Information on Exporting to Media (successful)	medium	pass
Ensure auditd Collects System Administrator Actions	low	pass
Enable auditd Service	high	pass
Services 3x fail 5x notchecked
Obsolete Services 2x notchecked
Telnet
Uninstall telnet-server Package	high	pass
Rlogin, Rsh, and Rexec 2x notchecked
Uninstall rsh-server Package	high	pass
Remove Host-Based Authentication Files	high	notchecked
Remove User Host-Based Authentication Files	high	notchecked
NIS
Uninstall ypserv Package	high	pass
TFTP Server
Uninstall tftp-server Package	high	pass
Ensure tftp Daemon Uses Secure Mode	medium	pass
Base Services 1x fail
Disable KDump Kernel Crash Analyzer (kdump)	medium	fail
Cron and At Daemons
Restrict at and cron to Authorized Users if Necessary
Verify User Who Owns /etc/cron.allow file	medium	pass
Verify Group Who Owns /etc/cron.allow file	medium	pass
SSH Server
Configure OpenSSH Server if Necessary
Allow Only SSH Protocol 2	high	pass
Disable GSSAPI Authentication	medium	pass
Disable Kerberos Authentication	medium	pass
Enable Use of Strict Mode Checking	medium	pass
Enable Use of Privilege Separation	medium	pass
Disable Compression Or Set Compression to delayed	medium	pass
Print Last Log	low	pass
Set SSH Idle Timeout Interval	low	pass
Set SSH Client Alive Count	medium	pass
Disable SSH Support for .rhosts Files	medium	pass
Disable SSH Support for User Known Hosts	medium	pass
Disable SSH Support for Rhosts RSA Authentication	medium	pass
Disable Host-Based Authentication	medium	pass
Enable Encrypted X11 Forwarding	high	pass
Disable SSH Root Login	medium	pass
Disable SSH Access via Empty Passwords	high	pass
Enable SSH Warning Banner	medium	pass
Do Not Allow SSH Environment Options	medium	pass
Use Only FIPS 140-2 Validated Ciphers	medium	pass
Use Only FIPS 140-2 Validated MACs	medium	pass
Install the OpenSSH Server Package	medium	pass
Enable the OpenSSH Service	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
System Security Services Daemon 1x fail 2x notchecked
System Security Services Daemon (SSSD) - LDAP 2x notchecked
Configure SSSD LDAP Backend Client CA Certificate	medium	notchecked
Configure SSSD LDAP Backend Client CA Certificate Location	medium	notchecked
Configure PAM in SSSD Services	medium	fail
X Window System
Disable X Windows
Remove the X Windows Package Group	medium	pass
Network Time Protocol 1x fail
Configure Time Service Maxpoll Interval	low	fail
Mail Server Software 1x notchecked
Configure Operating System to Protect Mail Server 1x notchecked
Configure Postfix if Necessary 1x notchecked
Control Mail Relaying 1x notchecked
Prevent Unrestricted Mail Relaying	medium	notchecked
LDAP
Configure OpenLDAP Clients
Configure LDAP Client to Use TLS For All Transactions	medium	pass
NFS and RPC
Configure NFS Clients
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with nosuid	medium	pass
Mount Remote Filesystems with noexec	medium	pass
Mount Remote Filesystems with Kerberos Security	medium	pass
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Package	high	pass
SNMP Server
Configure SNMP Server if Necessary
Ensure Default SNMP Password Is Not Used	high	pass

Result Details

Ensure /tmp Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_tmp

Result

pass

Time 2018-04-30T04:24:26

Severity low

Identifiers and References

Identifiers: CCE-27173-4

References: RHEL-07-021340, SV-86689r1_rule, SC-32(1), CCI-000366, SRG-OS-000480-GPOS-00227, 1.1.2

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL details

/tmp on own partition passed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/tmp	/dev/mapper/rhel-tmp	76547564-98ef-4133-a203-290059e820e6	xfs	rw	seclabel	relatime	attr2	inode64	noquota	bind	259584	15235	244349

Ensure /var Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_var

Result

pass

Time 2018-04-30T04:24:26

Severity low

Identifiers and References

Identifiers: CCE-26404-4

References: RHEL-07-021320, SV-86685r1_rule, SC-32(1), 1.1.6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

OVAL details

/var on own partition passed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var	/dev/mapper/rhel-var	0be0ba17-a2bc-4e24-83a5-85e470f1e979	xfs	rw	seclabel	relatime	attr2	inode64	noquota	bind	259584	22625	236959

Ensure /var/log/audit Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_var_log_audit

Result

pass

Time 2018-04-30T04:24:26

Severity low

Identifiers and References

Identifiers: CCE-26971-2

References: RHEL-07-021330, SV-86687r3_rule, AU-4, AU-9, SC-32(1), CCI-000366, 1.1.12, SRG-OS-000480-GPOS-00227

Description

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

OVAL details

/var/log/audit on own partition passed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/var/log/audit	/dev/mapper/rhel-var_log_audit	b5ebd29a-239b-49af-9149-92f1b7635fe1	xfs	rw	seclabel	relatime	attr2	inode64	noquota	bind	130217	6645	123572

Ensure /home Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_home

Result

pass

Time 2018-04-30T04:24:26

Severity low

Identifiers and References

Identifiers: CCE-80144-9

References: RHEL-07-021310, SV-86683r1_rule, SC-32(1), CCI-000366, CCI-001208, 1.1.13, SRG-OS-000480-GPOS-00227

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

OVAL details

/home on own partition passed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	10600811-e301-4706-8db5-0992625ee01a	xfs	rw	seclabel	nosuid	relatime	attr2	inode64	noquota	bind	259584	8264	251320

Ensure gpgcheck Enabled In Main Yum Configuration

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated

Result

pass

Time 2018-04-30T04:24:26

Severity high

Identifiers and References

Identifiers: CCE-26989-4

References: RHEL-07-020050, SV-86601r1_rule, CM-5(3), SI-7, MA-1(b), CCI-001749, SRG-OS-000366-GPOS-00153, Req-6.2, 1.2.2, 5.10.4.1, 3.4.8

Description

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Rationale

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL details

check value of gpgcheck in /etc/dnf/dnf.conf passed because these items were not found:

Object oval:ssg-object_dnf_ensure_gpgcheck_globally_activated:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dnf/dnf.conf	^\sgpgcheck\s=\s1\s$	1

check value of gpgcheck in /etc/yum.conf passed because of these items:

Path	Content
/etc/yum.conf	gpgcheck=1

Ensure Software Patches Installed

Rule ID	xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result	notchecked
Time	2018-04-30T04:24:26
Severity	high
Identifiers and References	Identifiers: CCE-26895-3 References: RHEL-07-020260, SV-86623r3_rule, SI-2, SI-2(c), MA-1(b), CCI-000366, Req-6.2, 1.8, SRG-OS-000480-GPOS-00227, 5.10.4.1
Description	If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using `rpm`. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
Rationale	Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Evaluation messages info None of the check-content-ref elements was resolvable.

Ensure YUM Removes Previous Package Versions

Rule ID xccdf_org.ssgproject.content_rule_clean_components_post_updating

Result

pass

Time 2018-04-30T04:24:26

Severity low

Identifiers and References

Identifiers: CCE-80346-0

References: RHEL-07-020200, SV-86611r1_rule, SI-2(6), CCI-002617, SRG-OS-000437-GPOS-00194, 3.4.8

Description

Yum should be configured to remove previous software components after previous versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf.

Rationale

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

OVAL details

check value of clean_requirements_on_remove in /etc/yum.conf passed because of these items:

Path	Content
/etc/yum.conf	clean_requirements_on_remove=1

Ensure gpgcheck Enabled for Local Packages

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages

Result

pass

Time 2018-04-30T04:24:26

Severity high

Identifiers and References

Identifiers: CCE-80347-8

References: RHEL-07-020060, SV-86603r1_rule, CM-5(3), CCI-001749, SRG-OS-000366-GPOS-00153, 3.4.8

Description

Yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.

Rationale

OVAL details

check value of localpkg_gpgcheck in /etc/yum.conf passed because of these items:

Path	Content
/etc/yum.conf	localpkg_gpgcheck=1

Ensure gpgcheck Enabled for Repository Metadata

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata

Result

fail

Time 2018-04-30T04:24:26

Severity high

Identifiers and References

Identifiers: CCE-80348-6

References: RHEL-07-020070, SV-86605r1_rule, CM-5(3), CCI-001749, SRG-OS-000366-GPOS-00153

Description

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.

Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf.

Rationale

Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again.

NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.

Warnings

warning Automated remediation for this configuration check is temporarily disabled. Enabling gpgcheck for repository metadata will disable installation of software from repositories that do not sign the metadata. Official Red Hat Enterprise Linux repositories do not provide a repository metadata signature. As a consequence, setting repo_gpgcheck to 1 on a typical system prevents yum from installation of software packages, including security updates and packages required by this guide. This issue of Red Hat Enterprise Linux repositories was reported in https://bugzilla.redhat.com/show_bug.cgi?id=1410638.

OVAL details

check value of repo_gpgcheck in /etc/yum.conf failed because these items were missing:

Object oval:ssg-object_yum_ensure_gpgcheck_repo_metadata:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/yum.conf	^\srepo_gpgcheck\s=\s(1\|True\|yes)\s$	1

Install AIDE

Rule ID

xccdf_org.ssgproject.content_rule_package_aide_installed

Result

pass

Time

2018-04-30T04:24:26

Severity

medium

Identifiers and References

Identifiers: CCE-27096-7

References: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 1.3.1, 5.10.1.3

Description

Install the AIDE package with the command:

$ sudo yum install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

OVAL details

package aide is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
aide	x86_64	(none)	13.el7	0.15.1	0:0.15.1-13.el7	199e2f91fd431d51	aide-0:0.15.1-13.el7.x86_64

Configure Periodic Execution of AIDE

Rule ID xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking

Result

pass

Time 2018-04-30T04:24:26

Severity medium

Identifiers and References

Identifiers: CCE-26952-2

References: RHEL-07-020030, SV-86597r1_rule, CM-3(d), CM-3(e), CM-3(5), CM-6(d), CM-6(3), SC-28, SI-7, CCI-001744, Req-11.5, 1.3.2, SRG-OS-000363-GPOS-00150, 5.10.1.3

Description

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * 0 root /usr/sbin/aide --check

AIDE can be executed periodically through other means; this is merely one example.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL details

run aide daily with cron passed because of these items:

Path	Content
/etc/crontab	05 4 * * * root /usr/sbin/aide --check
/etc/crontab	0 5 * * * root /usr/sbin/aide --check \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

run aide daily with cron passed because these items were not found:

Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.d	^.*$	^[0-9][\s][0-9][\s]\[\s]\[\s]\[\s]root[\s]/usr/sbin/aide[\s]\-\-check.*$	1

run aide daily with cron passed because these items were not found:

Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^[0-9][\s][0-9][\s]\[\s]\[\s]\[\s](root\|)/usr/sbin/aide[\s]\-\-check.$	1

run aide daily with cron.(daily|weekly|monthly) passed because these items were not found:

Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.(daily\|weekly\|monthly)	^.*$	^\s/usr/sbin/aide[\s]\-\-check.*$	1

Configure Notification of Post-AIDE Scan Details

Rule ID xccdf_org.ssgproject.content_rule_aide_scan_notification

Result

pass

Time 2018-04-30T04:24:26

Severity medium

Identifiers and References

Identifiers: CCE-80374-2

References: RHEL-07-020040, SV-86599r1_rule, CM-3(5), CCI-001744, SRG-OS-000363-GPOS-00150

Description

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

Otherwise, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

AIDE can be executed periodically through other means; this is merely one example.

Rationale

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

OVAL details

notify personnel when aide completes passed because of these items:

Path	Content
/etc/crontab	0 5 * * * root /usr/sbin/aide --check \| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

notify personnel when aide completes passed because these items were not found:

Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/var/spool/cron/root	^./usr/sbin/aide[\s]\-\-check.\\|./bin/mail[\s]-s[\s]"."[\s].+@.+$	1

notify personnel when aide completes in cron.(daily|weekly|monthly) passed because these items were not found:

Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/cron.(d\|daily\|weekly\|monthly)	^.*$	^./usr/sbin/aide[\s]\-\-check.\\|./bin/mail[\s]-s[\s]"."[\s].+@.+$	1

Configure AIDE to Verify Access Control Lists (ACLs)

Rule ID xccdf_org.ssgproject.content_rule_aide_verify_acls

Result

pass

Time 2018-04-30T04:24:26

Severity medium

Identifiers and References

Identifiers: CCE-80375-9

References: RHEL-07-021600, SV-86693r2_rule, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227

Description

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

OVAL details

acl is set in /etc/aide.conf passed because of these items:

Path	Content
/etc/aide.conf	NORMAL = acl+xattrs+sha512
/etc/aide.conf	DIR = p+i+n+u+g+acl+selinux+xattrs+sha512
/etc/aide.conf	PERMS = p+u+g+acl+selinux+xattrs+sha512
/etc/aide.conf	STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype+sha512
/etc/aide.conf	LOG = p+u+g+n+acl+selinux+ftype+xattrs+sha512
/etc/aide.conf	CONTENT = ftype+acl+xattrs+sha512
/etc/aide.conf	DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512

Configure AIDE to Verify Extended Attributes

Rule ID xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes

Result

pass

Time 2018-04-30T04:24:26

Severity medium

Identifiers and References

Identifiers: CCE-80376-7

References: RHEL-07-021610, SV-86695r2_rule, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227

Description

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

OVAL details

xattrs is set in /etc/aide.conf passed because of these items:

Path	Content
/etc/aide.conf	NORMAL = acl+xattrs+sha512
/etc/aide.conf	DIR = p+i+n+u+g+acl+selinux+xattrs+sha512
/etc/aide.conf	PERMS = p+u+g+acl+selinux+xattrs+sha512
/etc/aide.conf	STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype+sha512
/etc/aide.conf	LOG = p+u+g+n+acl+selinux+ftype+xattrs+sha512
/etc/aide.conf	CONTENT = ftype+acl+xattrs+sha512
/etc/aide.conf	DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512

Configure AIDE to Use FIPS 140-2 for Validating Hashes

Rule ID xccdf_org.ssgproject.content_rule_aide_use_fips_hashes

Result

pass

Time 2018-04-30T04:24:26

Severity medium

Identifiers and References

Identifiers: CCE-80377-5

References: RHEL-07-021620, SV-86697r2_rule, SI-7(1), CCI-000366, SRG-OS-000480-GPOS-00227, 3.13.11

Description

By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf:

NORMAL = FIPSR+sha512

AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

OVAL details

Verify non-FIPS hashes are not configured in /etc/aide.conf passed because these items were not found:

Object oval:ssg-object_aide_non_fips_hashes:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/aide.conf	^[A-Z][\s]=[\s].(sha1\|rmd160\|sha256\|whirlpool\|tiger\|haval\|gost\|crc32).*$	0

Verify FIPS hashes are configured in /etc/aide.conf passed because of these items:

Path	Content
/etc/aide.conf	NORMAL = acl+xattrs+sha512
/etc/aide.conf	LOG = p+u+g+n+acl+selinux+ftype+xattrs+sha512
/etc/aide.conf	STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype+sha512
/etc/aide.conf	PERMS = p+u+g+acl+selinux+xattrs+sha512
/etc/aide.conf	DIR = p+i+n+u+g+acl+selinux+xattrs+sha512
/etc/aide.conf	ALLXTRAHASHES = sha512
/etc/aide.conf	CONTENT = ftype+acl+xattrs+sha512
/etc/aide.conf	DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512

Verify and Correct File Permissions with RPM

Rule ID xccdf_org.ssgproject.content_rule_rpm_verify_permissions

Result

pass

Time 2018-04-30T04:24:30

Severity high

Identifiers and References

Identifiers: CCE-27209-6

References: RHEL-07-010010, SV-86473r2_rule, AC-6, AU-9(1), AU-9(3), CM-6(d), CM-6(3), CCI-001494, CCI-001496, Req-11.5, 1.2.6, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.3, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 5.10.4.1, 3.3.8, 3.4.1

Description

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:

$ sudo rpm -Va | grep '^.M'

Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:

$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:

$ sudo rpm --setperms PACKAGENAME

Rationale

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Warnings

warning Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1275532.

OVAL details

mode of all files matches local rpm database passed because these items were not found:

Object oval:ssg-object_files_fail_mode:obj:1 of type rpmverifyfile_object

Behaviors	Name	Epoch	Version	Release	Arch	Filepath	Filter
no value	.*	.*	.*	.*	.*	.*	oval:ssg-state_files_fail_mode:ste:1

Verify and Correct Ownership with RPM

Rule ID xccdf_org.ssgproject.content_rule_rpm_verify_ownership

Result

pass

Time 2018-04-30T04:24:38

Severity high

Identifiers and References

Identifiers: CCE-80545-7

References: RHEL-07-TBD, AC-6, AU-9(1), AU-9(3), CM-6(d), CM-6(3), CCI-001494, CCI-001496, Req-11.5, 1.2.6, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.3, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 5.10.4.1, 3.3.8, 3.4.1

Description

The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with

rpm -Va | grep "^.....\(U\|.G\)"

run the following command to determine which package owns it:

$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:

$ sudo rpm --setugids PACKAGENAME

Rationale

Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Warnings

OVAL details

user ownership of all files matches local rpm database passed because these items were not found:

Object oval:ssg-object_files_fail_user_ownership:obj:1 of type rpmverifyfile_object

Behaviors	Name	Epoch	Version	Release	Arch	Filepath	Filter
no value	.*	.*	.*	.*	.*	.*	oval:ssg-state_files_fail_user_ownership:ste:1

group ownership of all files matches local rpm database passed because these items were not found:

Object oval:ssg-object_files_fail_group_ownership:obj:1 of type rpmverifyfile_object

Behaviors	Name	Epoch	Version	Release	Arch	Filepath	Filter
no value	.*	.*	.*	.*	.*	.*	oval:ssg-state_files_fail_group_ownership:ste:1

Verify File Hashes with RPM

Rule ID

xccdf_org.ssgproject.content_rule_rpm_verify_hashes

Result

pass

Time

2018-04-30T04:25:03

Severity

high

Identifiers and References

Identifiers: CCE-27157-7

References: RHEL-07-010020, SV-86479r2_rule, CM-6(d), CM-6(3), SI-7(1), CCI-000663, Req-11.5, 1.2.6, SRG-OS-000480-GPOS-00227, 5.10.4.1, 3.3.8, 3.4.1

Description

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va | grep '^..5'

A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:

$ rpm -qf FILENAME

The package can be reinstalled from a yum repository using the command:

$ sudo yum reinstall PACKAGENAME

Alternatively, the package can be reinstalled from trusted media using the command:

$ sudo rpm -Uvh PACKAGENAME

Rationale

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

OVAL details

verify file md5 hashes passed because these items were not found:

Object oval:ssg-object_files_fail_md5_hash:obj:1 of type rpmverifyfile_object

Behaviors	Name	Epoch	Version	Release	Arch	Filepath	Filter
no value	.*	.*	.*	.*	.*	^/(bin\|sbin\|lib\|lib64\|usr)/.+$	oval:ssg-state_files_fail_md5_hash:ste:1

Install McAfee Virus Scanning Software

Rule ID

xccdf_org.ssgproject.content_rule_install_mcafee_antivirus

Result

fail

Time

2018-04-30T04:25:03

Severity

high

Identifiers and References

Identifiers: CCE-80127-4

References: RHEL-07-032000, SV-86837r1_rule, SC-28, SI-3, SI-3(1)(ii), CCI-000366, CCI-001239, CCI-001668, SRG-OS-000480-GPOS-00227

Description

Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.

Rationale

Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.

Warnings

warning Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check.

OVAL details

AntiVirus package is installed failed because these items were missing:

Object oval:ssg-obj_linuxshield_install_antivirus:obj:1 of type rpminfo_object

Name
McAfeeVSEForLinux

Virus Scanning Software Definitions Are Updated

Rule ID	xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated
Result	notchecked
Time	2018-04-30T04:25:03
Severity	medium
Identifiers and References	Identifiers: CCE-80129-0 References: RHEL-07-032010, SV-86839r1_rule, SC-28, SI-3, SI-3(1)(ii), CCI-000366, CCI-001239, CCI-001668, SRG-OS-000480-GPOS-00227
Description	Ensure virus definition files are no older than 7 days or their last release.
Rationale	Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.
Evaluation messages info No candidate or applicable check found.

Enable FIPS Mode in GRUB2

Rule ID xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode

Result

fail

Time 2018-04-30T04:25:03

Severity high

Identifiers and References

Identifiers: CCE-80359-3

References: RHEL-07-021350, SV-86691r2_rule, AC-17(2), CCI-000068, CCI-002450, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, 5.10.1.2, 3.13.8, 3.13.11

Description

To ensure FIPS mode is enabled, rebuild initramfs by running the following command:

dracut -f

After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"

Finally, rebuild the grub.cfg file by using the

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Warnings

warning Running

dracut -f

will overwrite the existing initramfs file.

warning The system needs to be rebooted for these changes to take effect.

warning The ability to enable FIPS does not denote FIPS compliancy or certification. Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible.

See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors.

OVAL details

check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX failed because of these items:

Path	Content
/etc/default/grub	GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rhgb quiet fips=1"

check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub failed because these items were missing:

Object oval:ssg-object_grub2_default_exists:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX_DEFAULT=.$	1

check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT failed because these items were missing:

Object oval:ssg-object_grub2_enable_fips_mode_default:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX_DEFAULT="(.)"$	1

State oval:ssg-state_grub2_enable_fips_mode:ste:1 of type textfilecontent54_state

Subexpression
^.fips=1.$

check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX failed because of these items:

Path	Content
/etc/default/grub	GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel/root rhgb quiet fips=1"

Remediation Shell script: (show)



if grep --silent ^PRELINKING /etc/sysconfig/prelink ; then
        sed -i "s/^PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink
else
        echo -e "\n# Set PRELINKING to 'no' per security requirements" >> /etc/sysconfig/prelink
        echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi

prelink -u -a
# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install dracut-fips

dracut -f

if [ -e /sys/firmware/efi ]; then
	BOOT=`df /boot/efi | tail -1 | awk '{print $1 }'`
else
	BOOT=`df /boot | tail -1 | awk '{ print $1 }'`
fi

# Correct the form of default kernel command line in /etc/default/grub
if ! grep -q "^GRUB_CMDLINE_LINUX=\".*fips=1.*\"" /etc/default/grub;
then
  # Append 'fips=1' argument to /etc/default/grub (if not present yet)
  sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 fips=1\"/" /etc/default/grub
fi

# Edit runtime setting
# Correct the form of kernel command line for each installed kernel in the bootloader
/sbin/grubby --update-kernel=ALL --args="boot=${BOOT} fips=1"

The Installed Operating System Is Vendor Supported and Certified

Rule ID	xccdf_org.ssgproject.content_rule_installed_OS_is_certified
Result	pass
Time	2018-04-30T04:25:03
Severity	high
Identifiers and References	Identifiers: CCE-80349-4 References: RHEL-07-020250, SV-86621r2_rule, SI-2(c), CCI-000366, SRG-OS-000480-GPOS-00227
Description	The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards.
Rationale	An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications.

Disable GDM Automatic Login

Rule ID xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login

Result

pass

Time 2018-04-30T04:25:03

Severity high

Identifiers and References

Identifiers: CCE-80104-3

References: RHEL-07-010440, SV-86577r1_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 3.1.1

Description

The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:

[daemon]
AutomaticLoginEnable=false

Rationale

Failure to restrict system access to authenticated users negatively impacts operating system security.

OVAL details

Disable GDM Automatic Login passed because these items were not found:

Object oval:ssg-obj_disable_automatic_login:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/gdm/custom.conf	^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$	1

Disable GDM Guest Login

Rule ID xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login

Result

pass

Time 2018-04-30T04:25:03

Severity high

Identifiers and References

Identifiers: CCE-80105-0

References: RHEL-07-010450, SV-86579r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 3.1.1

Description

The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:

[daemon]
TimedLoginEnable=false

Rationale

Failure to restrict system access to authenticated users negatively impacts operating system security.

OVAL details

Disable GDM Guest Login passed because these items were not found:

Object oval:ssg-obj_disable_guest_login:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/gdm/custom.conf	^\[daemon]([^\n]*\n+)+?TimedLoginEnable=[Ff]alse$	1

Enable the GNOME3 Login Smartcard Authentication

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80108-4

References: CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, CCI-001954, Req-8.3, SRG-OS-000375-GPOS-00160, RHEL-07-010061

Description

In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true.

To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
enable-smartcard-authentication=true

Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/login-screen/enable-smartcard-authentication

After the settings have been set, run dconf update.

Rationale

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

OVAL details

Enable GUI Login Smartcard authentication passed because these items were not found:

Object oval:ssg-obj_enable_gnome_smartcard:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/	^.*$	^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$	1

GUI smartcard authentication cannot be disabled passed because these items were not found:

Object oval:ssg-obj_prevent_user_disable_smartcard:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/locks/	^.*$	^/org/gnome/login-screen/enable-smartcard-authentication$	1

Set GNOME3 Screensaver Inactivity Timeout

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80110-0

References: RHEL-07-010070, SV-86517r2_rule, AC-11(a), CCI-000057, Req-8.1.8, SRG-OS-000029-GPOS-00010, 5.5.5, 3.1.10

Description

The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:

[org/gnome/desktop/session]
idle-delay='uint32 900'

Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/session/idle-delay

After the settings have been set, run dconf update.

Rationale

OVAL details

screensaver idle delay is configured passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/session]([^\n]\n+)+?idle-delay=uint32[\s][0-9]$	1

user cannot change screensaver idle delay passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_idle_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/session/idle-delay$	1

screensaver idle delay setting is correct passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^idle-delay[\s=]uint32[\s]([^=\s])	1

State oval:ssg-state_screensaver_idle_delay_setting:ste:1 of type textfilecontent54_state

Subexpression
900

Enable GNOME3 Screensaver Idle Activation

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80111-8

References: RHEL-07-010100, SV-86523r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, Req-8.1.8, 5.5.5, 3.1.10

Description

To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
idle_activation_enabled=true

Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/idle-activation-enabled

After the settings have been set, run dconf update.

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock.

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

OVAL details

idle delay is configured passed because these items were not found:

Object oval:ssg-obj_screensaver_idle_activation_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$	1

user cannot change idle_activation_enabled passed because these items were not found:

Object oval:ssg-obj_prevent_user_change_idle_activation_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/idle-activation-enabled$	1

Enable GNOME3 Screensaver Lock After Idle Period

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80112-6

References: RHEL-07-010060, SV-86515r2_rule, AC-11(b), CCI-000056, Req-8.1.8, SRG-OS-000028-GPOS-00009, OS-SRG-000030-GPOS-00011, 5.5.5, 3.1.10

Description

To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-enabled=true

Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/lock-enabled

After the settings have been set, run dconf update.

Rationale

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

OVAL details

screensaver lock is enabled passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$	1

screensaver lock cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/lock-enabled$	1

Set GNOME3 Screensaver Lock Delay After Activation Period

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80370-0

References: RHEL-07-010110, SV-86525r1_rule, AC-11(a), CCI-000056, Req-8.1.8, OS-SRG-000029-GPOS-00010, 3.1.10

Description

To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 5 in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-delay=uint32 5

Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/lock-delay

After the settings have been set, run dconf update.

Rationale

OVAL details

screensaver lock is set correctly passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^\[org/gnome/desktop/screensaver]([^\n]\n+)+?lock-delay=uint32[\s][0-9]$	1

screensaver lock delay cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_prevent_user_lock_delay:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/lock-delay$	1

screensaver lock delay setting is correct passed because these items were not found:

Object oval:ssg-obj_screensaver_lock_delay_setting:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/	^.*$	^lock-delay[\s=]uint32[\s]([^=\s])	1

State oval:ssg-state_screensaver_lock_delay_setting:ste:1 of type textfilecontent54_state

Subexpression

Ensure Users Cannot Change GNOME3 Screensaver Settings

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80371-8

References: RHEL-07-010081, SV-87807r2_rule, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10

Description

If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/lock-delay

After the settings have been set, run dconf update.

Rationale

OVAL details

screensaver lock delay cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_user_change_lock_delay_lock:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/screensaver/lock-delay$	1

Ensure Users Cannot Change GNOME3 Session Idle Settings

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80544-0

References: RHEL-07-010082, SV-87809r2_rule, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10

Description

If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/session/idle-delay

After the settings have been set, run dconf update.

Rationale

OVAL details

user cannot change screensaver idle delay passed because these items were not found:

Object oval:ssg-obj_user_change_idle_delay_lock:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/local.d/locks/	^.*$	^/org/gnome/desktop/session/idle-delay$	1

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Rule ID xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80351-0

References: RHEL-07-010340, SV-86571r1_rule, IA-11, CCI-002038, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Description

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

OVAL details

NOPASSWD does not exist /etc/sudoers passed because these items were not found:

Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sudoers	^(?!#).[\s]+NOPASSWD[\s]\:.*$	1

NOPASSWD does not exist in /etc/sudoers.d passed because these items were not found:

Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sudoers.d	^.*$	^(?!#).[\s]+NOPASSWD[\s]\:.*$	1

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule ID xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate

Result

pass

Time 2018-04-30T04:25:03

Severity medium

Identifiers and References

Identifiers: CCE-80350-2

References: RHEL-07-010350, SV-86573r2_rule, IA-11, CCI-002038, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Description

The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

OVAL details

!authenticate does not exist in /etc/sudoers passed because these items were not found:

Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sudoers	^(?!#).[\s]+\!authenticate.$	1

!authenticate does not exist in /etc/sudoers.d passed because these items were not found:

Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sudoers.d	^.*$	^(?!#).[\s]+\!authenticate.$	1

Add nosuid Option to Removable Media Partitions

Rule ID xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions

Result

pass

Time 2018-04-30T04:25:04

Severity low

Identifiers and References

Identifiers: CCE-80148-0

References: RHEL-07-021010, SV-86667r1_rule, AC-6, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 1.1.19, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

OVAL details

'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab passed because these items were not found:

Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$

^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$

^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$

^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$

/dev/cdrom

/dev/dvd

/dev/scd0

/dev/sr0

/etc/fstab

State oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1 of type textfilecontent54_state

Subexpression
^.,?nosuid,?.$

'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration passed because these items were not found:

Object oval:ssg-object_nosuid_runtime_cd_dvd_drive:obj:1 of type partition_object

Mount point	Filter
^.*$	oval:ssg-state_nosuid_runtime_cd_dvd_drive:ste:1

Check if removable partition is configured with 'nosuid' mount option in /etc/fstab passed because these items were not found:

Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$

/dev/cdrom

/etc/fstab

State oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state

Subexpression
^.,?nosuid,?.

'nosuid' mount option used for removable partition in runtime configuration passed because these items were not found:

Object oval:ssg-object_nosuid_runtime_not_cd_dvd_drive:obj:1 of type partition_object

Mount point	Filter
^.*$	oval:ssg-state_nosuid_runtime_not_cd_dvd_drive:ste:1

Add nosuid Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_nosuid

Result

pass

Time 2018-04-30T04:25:04

Severity low

Identifiers and References

Identifiers: CCE-81153-9

References: RHEL-07-021000, SV-86665r2_rule, CM-7, MP-2, 1.1.3

Description

The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.

OVAL details

nosuid on /home passed because of these items:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/home	/dev/mapper/rhel-home	10600811-e301-4706-8db5-0992625ee01a	xfs	rw	seclabel	nosuid	relatime	attr2	inode64	noquota	bind	259584	8264	251320

Disable Modprobe Loading of USB Storage Driver

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled

Result

pass

Time 2018-04-30T04:25:04

Severity medium

Identifiers and References

Identifiers: CCE-27277-3

References: RHEL-07-020100, SV-86607r1_rule, AC-19(a), AC-19(d), AC-19(e), IA-3, CCI-000366, CCI-000778, CCI-001958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-0016, SRG-OS-000480-GPOS-00227, 3.1.21

Description

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install usb-storage /bin/true

This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale

USB storage devices such as thumb drives can be used to introduce malicious software.

OVAL details

kernel module usb-storage disabled passed because of these items:

Path	Content
/etc/modprobe.d/usb-storage.conf	install usb-storage /bin/true

kernel module usb-storage disabled in /etc/modprobe.conf passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+usb-storage\s+(/bin/false\|/bin/true)$	1

kernel module usb-storage disabled in /etc/modules-load.d passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+usb-storage\s+(/bin/false\|/bin/true)$	1

kernel module usb-storage disabled in /run/modules-load.d passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+usb-storage\s+(/bin/false\|/bin/true)$	1

kernel module usb-storage disabled in /usr/lib/modules-load.d passed because these items were not found:

Object oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+usb-storage\s+(/bin/false\|/bin/true)$	1

Disable the Automounter

Rule ID xccdf_org.ssgproject.content_rule_service_autofs_disabled

Result

pass

Time 2018-04-30T04:25:04

Severity medium

Identifiers and References

Identifiers: CCE-27498-5

References: RHEL-07-020110, SV-86609r1_rule, AC-19(a), AC-19(d), AC-19(e), IA-3, CCI-000366, CCI-000778, CCI-001958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 3.4.6, 1.1.22

Description

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:

$ sudo systemctl disable autofs.service

Rationale

Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.

OVAL details

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

Test that the autofs service is not running passed because these items were not found:

Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object

Unit	Property
autofs\.(service\|socket)	ActiveState

State oval:ssg-state_service_not_running_autofs:ste:1 of type systemdunitproperty_state

Value
inactive

Ensure All Files Are Owned by a User

Rule ID

xccdf_org.ssgproject.content_rule_no_files_unowned_by_user

Result

pass

Time

2018-04-30T04:25:14

Severity

medium

Identifiers and References

Identifiers: CCE-80134-0

References: RHEL-07-020320, SV-86631r1_rule, AC-3(4), AC-6, CM-6(b), CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.11

Description

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.

Rationale

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

OVAL details

Check user ids on all files on the system passed because these items were not found:

Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/	.*	oval:ssg-file_permissions_unowned_userid_list_match:ste:1

Ensure All Files Are Owned by a Group

Rule ID

xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned

Result

pass

Time

2018-04-30T04:25:27

Severity

medium

Identifiers and References

Identifiers: CCE-80135-7

References: RHEL-07-020330, SV-86633r1_rule, AC-3(4), AC-6, IA-2, CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.12

Description

If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale

OVAL details

files with no group owner passed because these items were not found:

Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/	.*	oval:ssg-state_file_permissions_ungroupowned:ste:1

Ensure All World-Writable Directories Are Owned by a System Account

Rule ID

xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned

Result

pass

Time

2018-04-30T04:25:29

Severity

low

Identifiers and References

Identifiers: CCE-80136-5

References: RHEL-07-021030, SV-86671r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

OVAL details

check for local directories that are world writable and have uid greater than or equal to 1000 passed because these items were not found:

Object oval:ssg-all_local_directories:obj:1 of type file_object

Behaviors	Path	Filename	Filter
no value	/	no value	oval:ssg-state_gid_is_user_and_world_writable:ste:1

State oval:ssg-state_gid_is_user_and_world_writable:ste:1 of type file_state

User id	Owrite
1000	true

Enable Randomized Layout of Virtual Address Space

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result	pass
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-27127-0 References: SC-30(2), 1.5.1, 3.1.7, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040201
Description	To set the runtime status of the `kernel.randomize_va_space` kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: kernel.randomize_va_space = 2
Rationale	Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Ensure SELinux State is Enforcing

Rule ID xccdf_org.ssgproject.content_rule_selinux_state

Result

pass

Time 2018-04-30T04:25:29

Severity high

Identifiers and References

Identifiers: CCE-27334-2

References: RHEL-07-020210, SV-86613r2_rule, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-002165, CCI-002696, 1.6.1.2, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2

Description

The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:

SELINUX=enforcing

Rationale

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

OVAL details

/selinux/enforce is 1 passed because of these items:

Path	Content
/etc/selinux/config	SELINUX=enforcing

Configure SELinux Policy

Rule ID xccdf_org.ssgproject.content_rule_selinux_policytype

Result

pass

Time 2018-04-30T04:25:29

Severity high

Identifiers and References

Identifiers: CCE-27279-9

References: RHEL-07-020220, SV-86615r2_rule, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-002696, 1.6.1.3, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2

Description

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=targeted

Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.

OVAL details

Tests the value of the ^[\s]SELINUXTYPE[\s]=[\s]([^#]) expression in the /etc/selinux/config file passed because of these items:

Path	Content
/etc/selinux/config	SELINUXTYPE=targeted

Ensure No Device Files are Unlabeled by SELinux

Rule ID xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27326-8

References: RHEL-07-020900, SV-86663r1_rule, AC-6, AU-9, CM-3(f), CM-7, CCI-000022, CCI-000032, CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227, 3.1.2, 3.1.5, 3.7.2

Description

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for unlabeled device files, run the following command:

$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"

It should produce no output in a well-configured system.

Rationale

If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file.

OVAL details

device_t in /dev passed because these items were not found:

Object oval:ssg-object_selinux_all_devicefiles_labeled:obj:1 of type selinuxsecuritycontext_object

Behaviors	Path	Filename	Filter
no value	/dev	^.*$	oval:ssg-state_selinux_all_devicefiles_labeled:ste:1

State oval:ssg-state_selinux_all_devicefiles_labeled:ste:1 of type selinuxsecuritycontext_state

Type
device_t

Map System Users To The Appropriate SELinux Role

Rule ID	xccdf_org.ssgproject.content_rule_selinux_user_login_roles
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80543-2 References: CCI-002235, SRG-OS-000324-GPOS-00125, RHEL-07-020020, SV-86595r1_rule
Description	Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the `sysadm_u` or `staff_u` users with the appropriate domains (`sysadm_t` and `staff_t`). $ sudo semanage login -m -s sysadm_u USER or $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the `user_u` role or the appropriate domain (user_t). $ sudo semanage login -m -s user_u USER
Rationale	Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Evaluation messages info No candidate or applicable check found.

Verify Only Root Has UID 0

Rule ID

xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero

Result

pass

Time

2018-04-30T04:25:29

Severity

high

Identifiers and References

Identifiers: CCE-27175-9

References: RHEL-07-020310, SV-86629r1_rule, AC-6, IA-2(1), IA-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.1, 3.1.5, 6.2.5

Description

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL details

test that there are no accounts with UID 0 except root in the /etc/passwd file passed because these items were not found:

Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/passwd	^(?!root:)[^:]:[^:]:0	1

Prevent Log In to Accounts With Empty Password

Rule ID xccdf_org.ssgproject.content_rule_no_empty_passwords

Result

pass

Time 2018-04-30T04:25:29

Severity high

Identifiers and References

Identifiers: CCE-27286-4

References: RHEL-07-010290, SV-86561r1_rule, AC-6, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000366, SRG-OS-000480-GPOS-00227, Req-8.2.3, 5.5.2, 3.1.1, 3.1.5

Description

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

OVAL details

make sure nullok is not used in /etc/pam.d/system-auth passed because these items were not found:

Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	\snullok\s	1

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule ID

xccdf_org.ssgproject.content_rule_gid_passwd_group_same

Result

pass

Time

2018-04-30T04:25:29

Severity

low

Identifiers and References

Identifiers: CCE-27503-2

References: RHEL-07-020300, SV-86627r1_rule, IA-2, CCI-000764, SRG-OS-000104-GPOS-00051, Req-8.5.a, 5.5.2

Description

Add a group to the system for each GID referenced without a corresponding group.

Rationale

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

OVAL details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group passed because of these items:

Path	Content
/etc/passwd	root:x:0:0:
/etc/passwd	bin:x:1:1:
/etc/passwd	daemon:x:2:2:
/etc/passwd	adm:x:3:4:
/etc/passwd	lp:x:4:7:
/etc/passwd	sync:x:5:0:
/etc/passwd	shutdown:x:6:0:
/etc/passwd	halt:x:7:0:
/etc/passwd	mail:x:8:12:
/etc/passwd	operator:x:11:0:
/etc/passwd	games:x:12:100:
/etc/passwd	ftp:x:14:50:
/etc/passwd	nobody:x:99:99:
/etc/passwd	systemd-network:x:192:192:
/etc/passwd	dbus:x:81:81:
/etc/passwd	polkitd:x:999:998:
/etc/passwd	sshd:x:74:74:
/etc/passwd	postfix:x:89:89:
/etc/passwd	chrony:x:998:996:
/etc/passwd	admin:x:1000:1000:

Set Password Minimum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27002-5

References: RHEL-07-010230, SV-86549r1_rule, IA-5(f), IA-5(1)(d), CCI-000198, SRG-OS-000075-GPOS-00043, 3.5.8, 5.6.2.1.1

Description

To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_DAYS 1

A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 1.

Rationale

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.

OVAL details

The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs passed because of these items:

Var ref	Value
oval:ssg-variable_last_pass_min_days_instance_value:var:1	1

Set Password Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27051-2

References: RHEL-07-010250, SV-86553r1_rule, IA-5(f), IA-5(g), IA-5(1)(d), CCI-000199, SRG-OS-000076-GPOS-00044, Req-8.2.4, 5.4.1.1, 5.6.2.1, 3.5.6

Description

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MAX_DAYS 60

A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 60.

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.

OVAL details

The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs passed because of these items:

Var ref	Value
oval:ssg-variable_last_pass_max_days_instance_value:var:1	60

Set Existing Passwords Minimum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80521-8 References: CCI-000198, SRG-OS-000075-GPOS-00043, RHEL-07-010240, SV-86551r1_rule
Description	Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER
Rationale	Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Evaluation messages info No candidate or applicable check found.

Set Existing Passwords Maximum Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80522-6 References: CCI-000199, SRG-OS-000076-GPOS-00044, RHEL-07-010260, SV-86555r1_rule
Description	Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER
Rationale	Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Evaluation messages info No candidate or applicable check found.

Set Account Expiration Following Inactivity

Rule ID xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27355-7

References: RHEL-07-010310, SV-86565r1_rule, AC-2(2), AC-2(3), IA-4(e), CCI-000795, SRG-OS-000118-GPOS-00060, Req-8.1.4, 3.5.6, 5.6.2.1.1

Description

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately:

INACTIVE=0

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Rationale

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

OVAL details

the value INACTIVE parameter should be set appropriately in /etc/default/useradd passed because of these items:

Path	Content
/etc/default/useradd	INACTIVE=0

Set Password Retry Prompts Permitted Per-Session

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_retry

Result

pass

Time 2018-04-30T04:25:29

Severity low

Identifiers and References

Identifiers: CCE-27160-1

References: RHEL-07-010119, SV-87811r2_rule, CM-6(b), IA-5(c), CCI-000366, 6.3.2, SRG-OS-000480-GPOS-00225, 5.5.3

Description

To configure the number of retry prompts that are permitted per-session:

Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=3, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session.

Rationale

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

OVAL details

check the configuration of /etc/pam.d/system-auth passed because these items were not found:

Object oval:ssg-obj_password_pam_cracklib_retry:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\spassword\s+(?:(?:required)\|(?:requisite))\s+pam_cracklib\.so.retry=([0-9]).$	1

State oval:ssg-state_password_pam_retry:ste:1 of type textfilecontent54_state

Subexpression
3

check the configuration of /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

Set Password Maximum Consecutive Repeating Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27333-4

References: RHEL-07-010180, SV-86539r1_rule, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal 2 to prevent a run of (2 + 1) or more identical characters.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	maxrepeat = 2

Set Password to Maximum of Consecutive Repeating Characters from Same Character Class

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27512-3

References: RHEL-07-010190, SV-86541r1_rule, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal 4 to prevent a run of (4 + 1) or more identical characters.

Rationale

Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	maxclassrepeat = 4

Set Password Strength Minimum Digit Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27214-6

References: RHEL-07-010140, SV-86531r2_rule, IA-5(1)(a), IA-5(b), IA-5(c), 194, CCI-000194, SRG-OS-000071-GPOS-00039, Req-8.2.3, 6.3.2

Description

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	dcredit = -1

Set Password Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27293-0

References: RHEL-07-010280, SV-86559r1_rule, IA-5(1)(a), CCI-000205, SRG-OS-000078-GPOS-00046, Req-8.2.3, 6.3.2, 5.6.2.1.1

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	minlen = 15

Set Password Strength Minimum Uppercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27200-5

References: RHEL-07-010120, SV-86527r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000192, SRG-OS-000069-GPOS-00037, Req-8.2.3, 6.3.2

Description

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	ucredit = -1

Set Password Strength Minimum Special Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27360-7

References: RHEL-07-010150, SV-86533r1_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-001619, SRG-OS-000266-GPOS-00101

Description

The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	ocredit = -1

Set Password Strength Minimum Lowercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27345-8

References: RHEL-07-010130, SV-86529r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000193, SRG-OS-000070-GPOS-00038, Req-8.2.3

Description

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	lcredit = -1

Set Password Strength Minimum Different Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_difok

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-26631-2

References: RHEL-07-010160, SV-86535r1_rule, IA-5(b), IA-5(c), IA-5(1)(b), CCI-000195, SRG-OS-000072-GPOS-00040, 5.6.2.1.1

Description

The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal 8 to require differing characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	difok = 8

Set Password Strength Minimum Different Categories

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27115-5

References: RHEL-07-010170, SV-86537r1_rule, IA-5, CCI-000195, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)

Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.

OVAL details

check the configuration of /etc/security/pwquality.conf passed because of these items:

Path	Content
/etc/security/pwquality.conf	minclass = 4

Set Deny For Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27350-8

References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.6, 5.3.2, 5.5.3, 3.1.8

Description

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900

add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900

add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

OVAL details

Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix. passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check if pam_faillock.so is called in account phase before pam_unix passed because of these items:

Path	Content
/etc/pam.d/system-auth	account required pam_faillock.so account required pam_unix.so

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check if pam_faillock_so is called in account phase before pam_unix. passed because of these items:

Path	Content
/etc/pam.d/password-auth	account required pam_faillock.so account required pam_unix.so

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value passed because these items were not found:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/system-auth	1

State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state

Subexpression
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin

Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value passed because these items were not found:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/password-auth	1

State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state

Subexpression
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin

Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct. passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3

Set Lockout Time For Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-26884-7

References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.7, 5.3.2, 5.5.3, 3.1.8

Description

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900

add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900

add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

OVAL details

check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900

check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900

Configure the root Account for Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-80353-6

References: RHEL-07-010330, SV-86569r1_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

Description

To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

Modify the following line in the AUTH section to add even_deny_root:

auth required pam_faillock.so preauth silent even_deny_root deny=3 unlock_time=never fail_interval=900

Modify the following line in the AUTH section to add even_deny_root:

auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=never fail_interval=900

Rationale

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

OVAL details

Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail) passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900 auth sufficient pam_unix.so try_first_pass

Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail) passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

Set Interval For Counting Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27297-1

References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

Description

Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an accounts after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

Add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900

Add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900

Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

OVAL details

check maximum preauth fail_interval allowed in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900

check maximum authfail fail_interval allowed in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check maximum authfail fail_interval allowed in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never even_deny_root fail_interval=900

check maximum preauth fail_interval allowed in /etc/pam.d/password-auth passed because of these items:

Path	Content
/etc/pam.d/password-auth	auth required pam_faillock.so preauth silent deny=3 unlock_time=never even_deny_root fail_interval=900

Limit Password Reuse

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-26923-3

References: RHEL-07-010270, SV-86557r1_rule, IA-5(f), IA-5(1)(e), CCI-000200, SRG-OS-000077-GPOS-00045, Req-8.2.5, 5.3.3, 5.6.2.1.1, 3.5.8

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember=5 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:

for the pam_unix.so case:

password sufficient pam_unix.so ...existing_options... remember=5

for the pam_pwhistory.so case:

password requisite pam_pwhistory.so ...existing_options... remember=5

The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

OVAL details

Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth passed because of these items:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5

Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth passed because these items were not found:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\spassword\s+(?:(?:requisite)\|(?:required))\s+pam_pwhistory\.so.remember=([0-9]).$	1

State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state

Subexpression
5

Set PAM's Password Hashing Algorithm

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27104-9

References: RHEL-07-010200, SV-86543r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11

Description

The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:

password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

OVAL details

check /etc/pam.d/system-auth for correct settings passed because of these items:

Path	Content
/etc/pam.d/system-auth	password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5

Set Password Hashing Algorithm in /etc/login.defs

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27124-7

References: RHEL-07-010210, SV-86545r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11

Description

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512

Rationale

OVAL details

The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs passed because of these items:

Var ref	Value
oval:ssg-variable_last_encrypt_method_instance_value:var:1	SHA512

Set Password Hashing Algorithm in /etc/libuser.conf

Rule ID xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27053-8

References: RHEL-07-010220, SV-86547r2_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 5.6.2.2, 3.13.11

Description

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512

Rationale

OVAL details

The password hashing algorithm should be set correctly in /etc/libuser.conf passed because of these items:

Path	Content
/etc/libuser.conf	crypt_style = sha512

Set Last Logon/Access Notification

Rule ID xccdf_org.ssgproject.content_rule_display_login_attempts

Result

pass

Time 2018-04-30T04:25:29

Severity low

Identifiers and References

Identifiers: CCE-27275-7

References: RHEL-07-040530, SV-86899r1_rule, AC-9, CCI-000366, Req-10.2.4, SRG-OS-000480-GPOS-00227, 5.5.2

Description

To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed

Rationale

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

OVAL details

Check the pam_lastlog configuration of /etc/pam.d/postlogin passed because of these items:

Path	Content
/etc/pam.d/postlogin	session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed

Ensure the Default Umask is Set Correctly in login.defs

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs

Result

pass

Time 2018-04-30T04:25:29

Severity low

Identifiers and References

Identifiers: CCE-80205-8

References: RHEL-07-020240, SV-86619r1_rule, CM-6(b), SA-8, CCI-000366, SRG-OS-000480-GPOS-00228

Description

To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:

UMASK 077

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.

OVAL details

Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement passed because of these items:

Var ref	Value
oval:ssg-var_etc_login_defs_umask_as_number:var:1	63

Ensure the Default Umask is Set Correctly For Interactive Users

Rule ID	xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80536-6 References: CCI-001814, SRG-OS-000480-GPOS-00227, RHEL-07-021040, SV-86673r1_rule
Description	Remove the `UMASK` environment variable from all interactive users initialization files.
Rationale	The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.
Evaluation messages info No candidate or applicable check found.

Ensure Home Directories are Created for New Users

Rule ID xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-80434-4

References: RHEL-07-020610, SV-86637r1_rule, SRG-OS-000480-GPOS-00227

Description

All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows:

CREATE_HOME yes

Rationale

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

OVAL details

Check value of CREATE_HOME in /etc/login.defs passed because of these items:

Path	Content
/etc/login.defs	CREATE_HOME yes # The permission mask is initialized to this value. If not specified,

Set Interactive Session Timeout

Rule ID xccdf_org.ssgproject.content_rule_accounts_tmout

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27557-8

References: RHEL-07-040160, SV-86847r2_rule, AC-12, SC-10, CCI-001133, CCI-000361, SRG-OS-000163-GPOS-00072, 3.1.11

Description

Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows:

TMOUT=600

Rationale

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

OVAL details

TMOUT in /etc/profile passed because of these items:

Path	Content
/etc/profile	TMOUT=600

TMOUT in /etc/profile.d/*.sh passed because these items were not found:

Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/profile.d	^.*\.sh$	^[\s]TMOUT[\s]=[\s](.)[\s]*$	1

State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state

Subexpression
600

Limit the Number of Concurrent Login Sessions Allowed Per User

Rule ID xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions

Result

pass

Time 2018-04-30T04:25:29

Severity low

Identifiers and References

Identifiers: CCE-27081-9

References: RHEL-07-040000, SV-86841r1_rule, AC-10, CCI-000054, SRG-OS-000027-GPOS-00008, 5.5.2.2

Description

Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf:

* hard maxlogins 10

Rationale

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

OVAL details

the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf passed because these items were not found:

Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:(?:hard)\|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$	1

State oval:ssg-state_maxlogins:ste:1 of type textfilecontent54_state

Subexpression
10

the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf passed because these items were not found:

Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:(?:hard)\|(?:-))[\s]+maxlogins	1

the value maxlogins should be set appropriately in /etc/security/limits.conf passed because of these items:

Path	Content
/etc/security/limits.conf	* hard maxlogins 10

Ensure the Logon Failure Delay is Set Correctly in login.defs

Rule ID xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay

Result

pass

Time 2018-04-30T04:25:29

Severity low

Identifiers and References

Identifiers: CCE-80352-8

References: RHEL-07-010430, SV-86575r1_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00226

Description

To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:

FAIL_DELAY 4

Rationale

Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.

OVAL details

check FAIL_DELAY in /etc/login.defs passed because of these items:

Path	Content
/etc/login.defs	FAIL_DELAY 4

User Initialization Files Must Not Run World-Writable Programs

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80523-4 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020730, SV-86661r1_rule
Description	Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod 0755 FILE
Rationale	If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
Evaluation messages info No candidate or applicable check found.

Ensure that Users Path Contains Only Local Directories

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80524-2 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020720, SV-86659r2_rule
Description	Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.
Rationale	The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).
Evaluation messages info No candidate or applicable check found.

Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_file_permission_user_init_files
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80525-9 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020710, SV-86657r1_rule
Description	Set the mode of the user initialization files to `0740` with the following command: $ sudo chmod 0740 /home/USER/.INIT_FILE
Rationale	Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Evaluation messages info No candidate or applicable check found.

User Initialization Files Must Be Group-Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80526-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020700, SV-86655r2_rule
Description	Change the group owner of interactive users files to the group found in /etc/passwd for the user. To change the group owner of a local interactive user home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
Rationale	Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Evaluation messages info No candidate or applicable check found.

User Initialization Files Must Be Owned By the Primary User

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80527-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020690, SV-86653r1_rule
Description	Set the owner of the user initialization files for interactive users to the primary owner with the following command: $ sudo chown USER /home/USER/.*
Rationale	Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Evaluation messages info No candidate or applicable check found.

All Interactive Users Must Have A Home Directory Defined

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80528-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020600, SV-86635r1_rule
Description	Assign home directories to all interactive users that currently do not have a home directory assigned.
Rationale	If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Evaluation messages info No candidate or applicable check found.

All Interactive Users Home Directories Must Exist

Rule ID	xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80529-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020620, SV-86639r1_rule
Description	Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in `/etc/passwd`: $ sudo mkdir /home/USER
Rationale	If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
Evaluation messages info No candidate or applicable check found.

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80530-9 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020630, SV-86641r1_rule
Description	Change the mode of interactive users home directories to `0750`. To change the mode of interactive users home directory, use the following command: $ sudo chmod 0750 /home/USER
Rationale	Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
Evaluation messages info No candidate or applicable check found.

All Interactive User Home Directories Must Be Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_home_directories
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80531-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020640, SV-86643r2_rule
Description	Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: $ sudo chown USER /home/USER
Rationale	If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.
Evaluation messages info No candidate or applicable check found.

All Interactive User Home Directories Must Be Group-Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_file_groupownership_home_directories
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80532-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020650, SV-86645r2_rule
Description	Change the group owner of interactive users home directory to the group found in `/etc/passwd`. To change the group owner of interactive users home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER
Rationale	If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
Evaluation messages info No candidate or applicable check found.

All User Files and Directories In The Home Directory Must Be Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80533-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020660, SV-86647r1_rule
Description	Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command: $ sudo chown -R USER /home/USER
Rationale	If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.
Evaluation messages info No candidate or applicable check found.

All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User

Rule ID	xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80534-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020670, SV-86649r1_rule
Description	Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIR
Rationale	If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.
Evaluation messages info No candidate or applicable check found.

All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

Rule ID	xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80535-8 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020680, SV-86651r1_rule
Description	Set the mode on files and directories in the local interactive user home directory with the following command: $ sudo chmod 0750 /home/USER/FILE_DIR
Rationale	If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.
Evaluation messages info No candidate or applicable check found.

Set Boot Loader Password

Rule ID xccdf_org.ssgproject.content_rule_bootloader_password

Result

fail

Time 2018-04-30T04:25:29

Severity high

Identifiers and References

Identifiers: CCE-27309-4

References: RHEL-07-010480, SV-86585r1_rule, IA-2(1), IA-5(e), AC-3, CCI-000213, SRG-OS-000080-GPOS-00048, 1.4.2, 3.4.5

Description

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:

$ grub2-mkpasswd-pbkdf2

When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):

password_pbkdf2 superusers-account password-hash

NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:

grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Rationale

Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html

Warnings

warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.

OVAL details

/boot/grub2/grub.cfg does not exist failed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/boot/grub2/grub.cfg	regular	0	0	4167	`rw-r--r--`

make sure a password is defined in /boot/grub2/grub.cfg failed because these items were missing:

Object oval:ssg-object_bootloader_password:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub2/grub.cfg	^[\s]password_pbkdf2[\s]+.[\s]+grub\.pbkdf2\.sha512.*$	1

superuser is defined in /boot/grub2/grub.cfg files. Superuser is not root, admin, or administrator failed because these items were missing:

Object oval:ssg-object_bootloader_superuser:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/grub2/grub.cfg	^[\s]set[\s]+superusers=\"(?i)(?!root\|admin\|administrator)(?-i).\"$	1

Set the UEFI Boot Loader Password

Rule ID xccdf_org.ssgproject.content_rule_bootloader_uefi_password

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-80354-4

References: RHEL-07-010490, SV-86587r1_rule, AC-3, CCI-000213, SRG-OS-000080-GPOS-00048, 3.4.5, 1.4.2

Description

The UEFI grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:

$ grub2-mkpasswd-pbkdf2

password_pbkdf2 superusers-account password-hash

grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Rationale

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html

Warnings

OVAL details

/boot/efi/EFI/redhat/grub.cfg does not exist passed because these items were not found:

Object oval:ssg-object_bootloader_uefi_grub_cfg:obj:1 of type file_object

Filepath
/boot/efi/EFI/(redhat\|fedora)/grub.cfg

make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg passed because these items were not found:

Object oval:ssg-object_bootloader_uefi_password:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/efi/EFI/(redhat\|fedora)/grub.cfg	^[\s]password_pbkdf2[\s]+.[\s]+grub\.pbkdf2\.sha512.*$	1

superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator passed because these items were not found:

Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/efi/EFI/(redhat\|fedora)/grub.cfg	^[\s]set[\s]+superusers=\"(?i)(?!root\|admin\|administrator)(?-i).\"$	1

Boat Loader Is Not Installed On Removeable Media

Rule ID	xccdf_org.ssgproject.content_rule_bootloader_no_removeable_media
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80517-6 References: CCI-001814, SRG-OS-000364-GPOS-00151, RHEL-07-021700, SV-86699r1_rule
Description	The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. `usb0`, `cd`, `fd0`, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1'
Rationale	Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.
Evaluation messages info No candidate or applicable check found.

Install the screen Package

Rule ID xccdf_org.ssgproject.content_rule_package_screen_installed

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27351-6

References: RHEL-07-010090, SV-86521r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, 3.1.10

Description

To enable console screen locking, install the screen package:

$ sudo yum install screen

Instruct users to begin new terminal sessions with the following command:

$ screen

The console can now be locked with the following key combination:

ctrl+a x

Rationale

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but des not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The screen package allows for a session lock to be implemented and configured.

OVAL details

package screen is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
screen	x86_64	(none)	0.25.20120314git3c2946.el7	4.1.0	0:4.1.0-0.25.20120314git3c2946.el7	199e2f91fd431d51	screen-0:4.1.0-0.25.20120314git3c2946.el7.x86_64

Install Smart Card Packages For Multifactor Authentication

Rule ID	xccdf_org.ssgproject.content_rule_install_smartcard_packages
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80519-2 References: CCI-001954, SRG-OS-000375-GPOS-00160, RHEL-07-041001, SV-87041r2_rule
Description	Configure the operating system to implement multifactor authentication by installing the required packages with the following command: $ sudo yum install esc pam_pkcs11 authconfig-gtk
Rationale	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Evaluation messages info No candidate or applicable check found.

Configure Smart Card Certificate Status Checking

Rule ID	xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking
Result	notchecked
Time	2018-04-30T04:25:29
Severity	medium
Identifiers and References	Identifiers: CCE-80520-0 References: CCI-001954, SRG-OS-000375-GPOS-00160, RHEL-07-041003, SV-87057r2_rule
Description	Configure the operating system to do certificate status checking for PKI authentication. Modify all of the `cert_policy` lines in `/etc/pam_pkcs11/pam_pkcs11.conf` to include `ocsp_on` like so: cert_policy = ca, ocsp_on, signature;
Rationale	Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Evaluation messages info No candidate or applicable check found.

Enable Smart Card Login

Rule ID

xccdf_org.ssgproject.content_rule_smartcard_auth

Result

pass

Time

2018-04-30T04:25:30

Severity

medium

Identifiers and References

Identifiers: CCE-80207-4

References: RHEL-07-010500, SV-86589r1_rule, IA-2(2), CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, Req-8.3, SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058

Description

To enable smart card authentication, consult the documentation at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:

https://access.redhat.com/solutions/82273

Rationale

OVAL details

Test ocsp_on in /etc/pam_pkcs11/pkcs11.conf passed because of these items:

Path	Content
/etc/pam_pkcs11/pam_pkcs11.conf	cert_policy = ca, signature, ocsp_on;
/etc/pam_pkcs11/pam_pkcs11.conf	cert_policy = ca, signature, ocsp_on;
/etc/pam_pkcs11/pam_pkcs11.conf	cert_policy = ca, signature, ocsp_on;

Test smartcard authentication is enabled in /etc/pam.d/system-auth file passed because of these items:

Path	Content
/etc/pam.d/system-auth	auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

Test smartcard authentication is required in /etc/pam.d/system-auth file passed because these items were not found:

Object oval:ssg-object_smart_card_required_system_auth:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
\nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n	no value	/etc/pam.d/system-auth	1

Test smartcard authentication is required in /etc/pam.d/smartcard-auth file passed because of these items:

Path	Content
/etc/pam.d/smartcard-auth	auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password required pam_pkcs11.so

Require Authentication for Single User Mode

Rule ID xccdf_org.ssgproject.content_rule_require_singleuser_auth

Result

pass

Time 2018-04-30T04:25:29

Severity medium

Identifiers and References

Identifiers: CCE-27287-2

References: IA-2(1), AC-3, CCI-000213, 3.1.1, 3.4.5, 1.4.3, SRG-OS-000080-GPOS-00048, RHEL-07-010481

Description

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

OVAL details

Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode passed because of these items:

Path	Content
/usr/lib/systemd/system/rescue.service	ExecStart=-/bin/sh -c "/usr/sbin/sulogin

Tests that the systemd rescue.service is in the runlevel1.target passed because of these items:

Path	Content
/usr/lib/systemd/system/runlevel1.target	Requires=sysinit.target rescue.service

look for runlevel1.target in /etc/systemd/system passed because these items were not found:

Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^runlevel1.target$

look for rescue.service in /etc/systemd/system passed because these items were not found:

Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^rescue.service$

Disable Ctrl-Alt-Del Reboot Activation

Rule ID xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot

Result

pass

Time 2018-04-30T04:25:29

Severity high

Identifiers and References

Identifiers: CCE-27511-5

References: RHEL-07-020230, SV-86617r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.4.5

Description

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

systemctl mask ctrl-alt-del.target

Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.

Rationale

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Warnings

warning Disabling the Ctrl-Alt-Del key sequence with SystemD DOES NOT disable the Ctrl-Alt-Del key sequence if running in graphical.target mode (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical multi-user.target mode.

OVAL details

Disable Ctrl-Alt-Del key sequence override exists passed because of these items:

Filepath	Canonical path
/etc/systemd/system/ctrl-alt-del.target	/dev/null

Enable GNOME3 Login Warning Banner

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-26970-4

References: RHEL-07-010030, SV-86483r2_rule, AC-8(a), AC-8(b), AC-8(c)(1), AC-8(c)(2), AC-8(c)(3), CCI-000048, OS-SRG-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, 3.1.9

Description

In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
banner-message-enable=true

Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/login-screen/banner-message-enable

After the settings have been set, run dconf update. The banner text must also be set.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

GUI banner is enabled passed because these items were not found:

Object oval:ssg-obj_banner_gui_enabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/	^.*$	^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$	1

GUI banner cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_prevent_user_banner_gui_enabled_change:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/locks/	^.*$	^/org/gnome/login-screen/banner-message-enable$	1

Set the GNOME3 Login Warning Banner Text

Rule ID xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-26892-0

References: RHEL-07-010040, SV-86485r2_rule, AC-8(a), AC-8(b), AC-8(c), CCI-000048, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, 3.1.9

Description

In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to string 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
banner-message-text=string 'APPROVED_BANNER'

Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/login-screen/banner-message-text

After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.

Rationale

An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.

OVAL details

GUI banner cannot be changed by user passed because these items were not found:

Object oval:ssg-obj_prevent_user_banner_change:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/locks/	^.*$	^/org/gnome/login-screen/banner-message-text$	1

login banner text is correctly set passed because these items were not found:

Object oval:ssg-obj_gdm_login_banner_text_setting:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/dconf/db/gdm.d/	^.*$	^banner-message-text=string[\s']([^'])	1

State oval:ssg-state_gdm_login_banner_text_setting:ste:1 of type textfilecontent54_state

Subexpression
^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+$USG$[\s\n]+Information[\s\n]+System[\s\n]+$IS$[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+$which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS$,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]-[\s\n]The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+$PM$,[\s\n]+law[\s\n]+enforcement[\s\n]+$LE$,[\s\n]+and[\s\n]+counterintelligence[\s\n]+$CI$[\s\n]+investigations.[\s\n]-[\s\n]At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]-[\s\n]Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]-[\s\n]This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+$e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls$[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.\|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$

Modify the System Login Banner

Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27303-7

References: RHEL-07-010050, SV-86487r1_rule, AC-8(a), AC-8(b), AC-8(c)(1), AC-8(c)(2), AC-8(c)(3), CCI-000048, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, 1.7.1.2, 3.1.9

Description

To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.

Rationale

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL details

correct banner in /etc/issue passed because of these items:

Path	Content
/etc/issue	You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Disable Kernel Parameter for Sending ICMP Redirects by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80156-3 References: RHEL-07-040650, SV-86915r2_rule, AC-4, CM-7, SC-5, SC-7, CCI-000366, 3.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.conf.default.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.conf.default.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80156-3 References: RHEL-07-040660, SV-86917r2_rule, AC-4, CM-7, SC-5(1), CCI-000366, 3.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.conf.all.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.conf.all.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

Disable Kernel Parameter for IP Forwarding

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80157-1 References: RHEL-07-040740, SV-86933r1_rule, CM-7, SC-5, SC-32, CCI-000366, 3.1.1, SRG-OS-000480-GPOS-00227, 3.1.20
Description	To set the runtime status of the `net.ipv4.ip_forward` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.ip_forward = 0
Rationale	Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-27434-0 References: RHEL-07-040610, SV-86907r1_rule, AC-4, CM-7, SC-5, CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80158-9 References: RHEL-07-040641, SV-87827r2_rule, CM-6(d), CM-7, SC-5, CCI-000366, CCI-001503, CCI-001551, 3.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.conf.all.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Configure Kernel Parameter for Accepting Source-Routed Packets By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80162-1 References: RHEL-07-040620, SV-86909r1_rule, AC-4, CM-7, SC-5, SC-7, CCI-000366, CCI-001551, SRG-OS-000480-GPOS-00227, 3.2.1, 5.10.1.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.conf.default.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.conf.default.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Configure Kernel Parameter for Accepting ICMP Redirects By Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80163-9 References: RHEL-07-040640, SV-86913r2_rule, AC-4, CM-7, SC-5, SC-7, CCI-001551, 3.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.conf.default.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80165-4 References: RHEL-07-040630, SV-86911r1_rule, AC-4, CM-7, SC-5, CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.5, 5.10.1.1, 3.1.20
Description	To set the runtime status of the `net.ipv4.icmp_echo_ignore_broadcasts` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale	Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Deactivate Wireless Network Interfaces

Rule ID

xccdf_org.ssgproject.content_rule_wireless_disable_interfaces

Result

pass

Time

2018-04-30T04:25:30

Severity

low

Identifiers and References

Identifiers: CCE-27358-1

References: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, CCI-000085, CCI-002418, 4.3.1, 3.1.16, SRG-OS-000424-GPOS-00188, RHEL-07-041010, SV-87829r1_rule

Description

Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command:

$ sudo nmcli radio wifi off

Rationale

The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.

OVAL details

query /proc/net/wireless passed because these items were not found:

Object oval:ssg-object_wireless_disable_interfaces:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/proc/net/wireless	^\s*[-\w]+:	1

Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80179-5 References: RHEL-07-040830, SV-86943r1_rule, AC-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.20
Description	To set the runtime status of the `net.ipv6.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If this is not the system's default value, add the following line to `/etc/sysctl.conf`: net.ipv6.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Verify firewalld Enabled

Rule ID xccdf_org.ssgproject.content_rule_service_firewalld_enabled

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27361-5

References: RHEL-07-040520, SV-86897r1_rule, CM-6(b), CCI-000366, 4.7, SRG-OS-000480-GPOS-00227, 3.1.3, 3.4.7

Description

The firewalld service can be enabled with the following command:

$ sudo systemctl enable firewalld.service

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

OVAL details

Test that the firewalld service is running passed because of these items:

Unit	Property	Value
firewalld.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

Set Default firewalld Zone for Incoming Packets

Rule ID xccdf_org.ssgproject.content_rule_set_firewalld_default_zone

Result

fail

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27349-0

References: RHEL-07-040810, SV-86939r1_rule, CM-6(b), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227, 5.10.1, 3.1.3, 3.4.7, 3.13.6

Description

To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be:

DefaultZone=drop

Rationale

In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

OVAL details

Check /etc/firewalld/firewalld.conf DefaultZone for drop failed because these items were missing:

Object oval:ssg-obj_firewalld_input_drop:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/firewalld/firewalld.conf	^DefaultZone=drop$	1

Configure firewalld To Rate Limit Connections

Rule ID	xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting
Result	notchecked
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80542-4 References: CCI-002385, SRG-OS-000420-GPOS-00186, RHEL-07-040510, SV-86895r1_rule
Description	Create a direct firewall rule to protect against DoS attacks with the following command: $ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
Rationale	DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
Evaluation messages info No candidate or applicable check found.

Configure the Firewalld Ports

Rule ID	xccdf_org.ssgproject.content_rule_configure_firewalld_ports
Result	pass
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80447-6 References: RHEL-07-040100, SV-86843r1_rule, CM-7, CM-7.1(iii), CM-7(b), AC-17(1), CCI-000382, CCI-002314, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115
Description	Configure the `firewalld` ports to allow approved services to have access to the system. To configure `firewalld` to open ports, run the following command: $ sudo firewall-cmd --permanent --add-port=port_number/tcp or $ sudo firewall-cmd --permanent --add-port=service_name Run the command list above for each of the ports listed below: To configure `firewalld` to allow access, run the following command(s): `firewall-cmd --permanent --add-service=ssh`
Rationale	In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Disable DCCP Support

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-26828-4

References: CM-7, CCI-001958, 3.5.1, 5.10.1, 3.4.6, RHEL-07-020101

Description

The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install dccp /bin/true

Rationale

Disabling DCCP protects the system against exploitation of any flaws in its implementation.

OVAL details

kernel module dccp disabled passed because of these items:

Path	Content
/etc/modprobe.d/dccp.conf	install dccp /bin/true

kernel module dccp disabled in /etc/modprobe.conf passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+dccp\s+(/bin/false\|/bin/true)$	1

kernel module dccp disabled in /etc/modules-load.d passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+dccp\s+(/bin/false\|/bin/true)$	1

kernel module dccp disabled in /run/modules-load.d passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+dccp\s+(/bin/false\|/bin/true)$	1

kernel module dccp disabled in /usr/lib/modules-load.d passed because these items were not found:

Object oval:ssg-obj_kernmod_dccp_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+dccp\s+(/bin/false\|/bin/true)$	1

Verify Any Configured IPSec Tunnel Connections

Rule ID	xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels
Result	notchecked
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80171-2 References: RHEL-07-040820, SV-86941r1_rule, AC-4, CCI-000336, SRG-OS-000480-GPOS-00227
Description	Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (`conn`) configured in `/etc/ipsec.conf` and `/etc/ipsec.d` exists is an approved organizational connection.
Rationale	IP tunneling mechanisms can be used to bypass network filtering.
Evaluation messages info No candidate or applicable check found.

Configure Multiple DNS Servers in /etc/resolv.conf

Rule ID xccdf_org.ssgproject.content_rule_network_configure_name_resolution

Result

fail

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-80438-5

References: RHEL-07-040600, SV-86905r1_rule, SC-22, CCI-000366, SRG-OS-000480-GPOS-00227

Description

Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example:

search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2

Rationale

To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

OVAL details

check if more than one nameserver in /etc/resolv.conf failed because these items were missing:

Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/resolv.conf	^[\s]*nameserver[\s]+([0-9\.]+)$	1

Ensure System is Not Acting as a Network Sniffer

Rule ID

xccdf_org.ssgproject.content_rule_network_sniffer_disabled

Result

pass

Time

2018-04-30T04:25:30

Severity

medium

Identifiers and References

Identifiers: CCE-80174-6

References: RHEL-07-040670, SV-86919r1_rule, CM-7, CM-7(2).1(i), MA-3, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:

$ ip link | grep PROMISC

Rationale

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.

OVAL details

check all network interfaces for PROMISC flag passed because these items were not found:

Object oval:ssg-object_promisc_interfaces:obj:1 of type interface_object

Name	Filter
^.*$	oval:ssg-state_promisc:ste:1

State oval:ssg-state_promisc:ste:1 of type interface_state

Flag
PROMISC

Ensure cron Is Logging To Rsyslog

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_cron_logging

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80380-9

References: RHEL-07-021100, SV-86675r1_rule, AU-2(d), CCI-000366, SRG-OS-000480-GPOS-00227

Description

Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:

cron.*                                                  /var/log/cron

Rationale

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

OVAL details

cron is configured in /etc/rsyslog.conf passed because of these items:

Path	Content
/etc/rsyslog.conf	cron.* /var/log/cron

cron is configured in /etc/rsyslog.d passed because these items were not found:

Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/rsyslog.d	^.*$	^[\s]cron\.\[\s]*/var/log/cron$	1

Ensure Logs Sent To Remote Host

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27343-3

References: RHEL-07-031000, SV-86833r1_rule, AU-3(2), AU-4(1), AU-9, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 4.2.1.4, SRG-OS-000480-GPOS-00227

Description

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @loghost.example.com

To use TCP for log message delivery:

*.* @@loghost.example.com

To use RELP for log message delivery:

*.* :omrelp:loghost.example.com

There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility.

Rationale

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

OVAL details

Ensures system configured to export logs to remote host passed because of these items:

Path	Content
/etc/rsyslog.conf	. @

Ensures system configured to export logs to remote host passed because these items were not found:

Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/rsyslog.d	.*	^\\.\[\s]+(?:@\|\:omrelp\:)	1

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Rule ID xccdf_org.ssgproject.content_rule_rsyslog_nolisten

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-80192-8

References: RHEL-07-031010, SV-86835r1_rule, AU-9(2), AC-4, CM-6(c), CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227

Description

The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf:

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

Rationale

Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

OVAL details

Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun passed because these items were not found:

Object oval:ssg-object_rsyslog_nolisten:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/rsyslog.conf	^[\s]*\$(?:Input(?:TCP\|RELP)\|UDP)ServerRun	1

Configure auditd space_left Action on Low Disk Space

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27375-5

References: AU-1(b), AU-4, AU-5(1), AU-5(b), IR-5, CCI-001855, Req-10.7, 5.2.1.2, SRG-OS-000343-GPOS-00134, 030340, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

space_left_action = ACTION

Possible values for ACTION are described in the auditd.conf man page. These include:

ignore
syslog
email
exec
suspend
single
halt

Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

Rationale

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

OVAL details

space left action passed because of these items:

Path	Content
/etc/audit/auditd.conf	space_left_action = email

Configure auditd space_left on Low Disk Space

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80537-4

References: AU-1(b), AU-4, AU-5(b), IR-5, CCI-001855, Req-10.7, RHEL-07-030330, SV-86713r1_rule, SRG-OS-000343-GPOS-00134

Description

The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately:

space_left = SIZE_in_MB

Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.

Rationale

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

OVAL details

admin space left action passed because of these items:

Path	Content
/etc/audit/auditd.conf	space_left = 100

Configure auditd mail_acct Action on Low Disk Space

Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27394-6

References: RHEL-07-030350, SV-86717r2_rule, AU-1(b), AU-4, AU-5(1), AU-5(a), IR-5, CCI-001855, Req-10.7.a, 5.2.1.2, SRG-OS-000343-GPOS-00134, 5.4.1.1, 3.3.1

Description

The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:

action_mail_acct = root

Rationale

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

OVAL details

email account for actions passed because of these items:

Path	Content
/etc/audit/auditd.conf	action_mail_acct = root

Configure audispd's Plugin network_failure_action On Network Failure

Rule ID	xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
Result	notchecked
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80538-2 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030321, SV-87815r2_rule
Description	Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file `/etc/audisp/audisp-remote.conf`. Add or modify the following line, substituting ACTION appropriately: network_failure_action = ACTION Set this value to `single` to cause the system to switch to single user mode for corrective action. Acceptable values also include `syslog` and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
Rationale	Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
Evaluation messages info No candidate or applicable check found.

Configure audispd's Plugin disk_full_action When Disk Is Full

Rule ID	xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action
Result	notchecked
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80539-0 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030320, SV-86711r2_rule
Description	Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file `/etc/audisp/audisp-remote.conf`. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to `single` to cause the system to switch to single user mode for corrective action. Acceptable values also include `syslog` and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
Rationale	Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
Evaluation messages info No candidate or applicable check found.

Encrypt Audit Records Sent With audispd Plugin

Rule ID	xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
Result	notchecked
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80540-8 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030310, SV-86709r1_rule
Description	Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the `enable_krb5` option in /etc/audisp/audisp-remote.conf , and set it with the following line: enable_krb5 = yes
Rationale	Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Evaluation messages info No candidate or applicable check found.

Configure audispd Plugin To Send Logs To Remote Server

Rule ID	xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
Result	notchecked
Time	2018-04-30T04:25:30
Severity	medium
Identifiers and References	Identifiers: CCE-80541-6 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030300, SV-86707r1_rule
Description	Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the `remote_server` option in /etc/audisp/audisp-remote.conf with an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing REMOTE_SYSTEM with an IP address or hostname: remote_server = REMOTE_SYSTEM
Rationale	Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.
Evaluation messages info No candidate or applicable check found.

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27339-1

References: RHEL-07-030410, SV-86729r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Warnings

warning Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

OVAL details

audit augenrules 32-bit chmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit chmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit chmod passed because these items were not found:

Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+chmod[\s]+\|([\s]+\|[,])chmod([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit chmod passed because these items were not found:

Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+chmod[\s]+\|([\s]+\|[,])chmod([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - chown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27364-9

References: RHEL-07-030370, SV-86721r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit chown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit chown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit chown passed because these items were not found:

Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+chown[\s]+\|([\s]+\|[,])chown([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit chown passed because these items were not found:

Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+chown[\s]+\|([\s]+\|[,])chown([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27393-8

References: RHEL-07-030420, SV-86731r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchmod passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchmod passed because these items were not found:

Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+fchmod[\s]+\|([\s]+\|[,])fchmod([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit fchmod passed because these items were not found:

Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+fchmod[\s]+\|([\s]+\|[,])fchmod([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27388-8

References: RHEL-07-030430, SV-86733r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchmodat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchmodat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchmodat passed because these items were not found:

Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+fchmodat[\s]+\|([\s]+\|[,])fchmodat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit fchmodat passed because these items were not found:

Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+fchmodat[\s]+\|([\s]+\|[,])fchmodat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27356-5

References: RHEL-07-030380, SV-86723r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchown passed because these items were not found:

Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+fchown[\s]+\|([\s]+\|[,])fchown([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit fchown passed because these items were not found:

Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+fchown[\s]+\|([\s]+\|[,])fchown([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27387-0

References: RHEL-07-030400, SV-86727r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fchownat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fchownat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fchownat passed because these items were not found:

Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+fchownat[\s]+\|([\s]+\|[,])fchownat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit fchownat passed because these items were not found:

Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+fchownat[\s]+\|([\s]+\|[,])fchownat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27353-2

References: RHEL-07-030480, SV-86743r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fremovexattr passed because these items were not found:

Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+fremovexattr[\s]+\|([\s]+\|[,])fremovexattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit fremovexattr passed because these items were not found:

Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+fremovexattr[\s]+\|([\s]+\|[,])fremovexattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27389-6

References: RHEL-07-030450, SV-86737r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit fsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit fsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit fsetxattr passed because these items were not found:

Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+fsetxattr[\s]+\|([\s]+\|[,])fsetxattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit fsetxattr passed because these items were not found:

Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+fsetxattr[\s]+\|([\s]+\|[,])fsetxattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27083-5

References: RHEL-07-030390, SV-86725r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit lchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lchown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lchown passed because these items were not found:

Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+lchown[\s]+\|([\s]+\|[,])lchown([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit lchown passed because these items were not found:

Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+lchown[\s]+\|([\s]+\|[,])lchown([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27410-0

References: RHEL-07-030490, SV-86745r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit lremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lremovexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lremovexattr passed because these items were not found:

Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+lremovexattr[\s]+\|([\s]+\|[,])lremovexattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit lremovexattr passed because these items were not found:

Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+lremovexattr[\s]+\|([\s]+\|[,])lremovexattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27280-7

References: RHEL-07-030460, SV-86739r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit lsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit lsetxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit lsetxattr passed because these items were not found:

Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+lsetxattr[\s]+\|([\s]+\|[,])lsetxattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit lsetxattr passed because these items were not found:

Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+lsetxattr[\s]+\|([\s]+\|[,])lsetxattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-27367-2

References: RHEL-07-030470, SV-86741r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit removexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit removexattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit removexattr passed because these items were not found:

Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+removexattr[\s]+\|([\s]+\|[,])removexattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit removexattr passed because these items were not found:

Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+removexattr[\s]+\|([\s]+\|[,])removexattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr

Result

pass

Time 2018-04-30T04:25:30

Severity low

Identifiers and References

Identifiers: CCE-27213-8

References: RHEL-07-030440, SV-86735r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7

Description

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

Rationale

Warnings

OVAL details

audit augenrules 32-bit setxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit augenrules 64-bit setxattr passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

audit auditctl 32-bit setxattr passed because these items were not found:

Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+setxattr[\s]+\|([\s]+\|[,])setxattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit setxattr passed because these items were not found:

Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+setxattr[\s]+\|([\s]+\|[,])setxattr([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Record Attempts to Alter Logon and Logout Events - tallylog

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80382-5

References: RHEL-07-030600, SV-86767r2_rule, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, CCI-000126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7

Description

The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:

-w /var/log/tallylog -p wa -k logins

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:

-w /var/log/tallylog -p wa -k logins

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

OVAL details

audit augenrules tallylog passed because of these items:

Path	Content
/etc/audit/rules.d/logins.rules	-w /var/log/tallylog -p wa -k logins

audit auditctl tallylog passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /var/log/tallylog -p wa -k logins

Record Attempts to Alter Logon and Logout Events - faillock

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80383-3

References: RHEL-07-030610, SV-86769r2_rule, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, CCI-000126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7

Description

-w /var/run/faillock/ -p wa -k logins

-w /var/run/faillock/ -p wa -k logins

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

OVAL details

audit augenrules faillock passed because of these items:

Path	Content
/etc/audit/rules.d/logins.rules	-w /var/run/faillock -p wa -k logins

audit auditctl faillock passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /var/run/faillock -p wa -k logins

Record Attempts to Alter Logon and Logout Events - lastlog

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80384-1

References: RHEL-07-030620, SV-86771r2_rule, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, CCI-000126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7

Description

-w /var/log/lastlog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

OVAL details

audit augenrules lastlog passed because of these items:

Path	Content
/etc/audit/rules.d/logins.rules	-w /var/log/lastlog -p wa -k logins

audit auditctl lastlog passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /var/log/lastlog -p wa -k logins

Record Unauthorized Access Attempts to Files (unsuccessful) - creat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80385-8

References: RHEL-07-030500, SV-86747r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings

OVAL details

audit augenrules 32-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eaccess_creat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+creat[\s]+\|([\s]+\|[,])creat([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 32-bit file eperm passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+creat[\s]+\|([\s]+\|[,])creat([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eaccess passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eaccess_creat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+creat[\s]+\|([\s]+\|[,])creat([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eperm passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+creat[\s]+\|([\s]+\|[,])creat([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Unauthorized Access Attempts to Files (unsuccessful) - open

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80386-6

References: RHEL-07-030510, SV-86749r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings

OVAL details

audit augenrules 32-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eaccess_open_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+open[\s]+\|([\s]+\|[,])open([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 32-bit file eperm passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+open[\s]+\|([\s]+\|[,])open([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eaccess passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eaccess_open_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+open[\s]+\|([\s]+\|[,])open([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eperm passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+open[\s]+\|([\s]+\|[,])open([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Unauthorized Access Attempts to Files (unsuccessful) - openat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80387-4

References: RHEL-07-030520, SV-86751r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings

OVAL details

audit augenrules 32-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eaccess_openat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+openat[\s]+\|([\s]+\|[,])openat([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 32-bit file eperm passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+openat[\s]+\|([\s]+\|[,])openat([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eaccess passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eaccess_openat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+openat[\s]+\|([\s]+\|[,])openat([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eperm passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+openat[\s]+\|([\s]+\|[,])openat([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80388-2

References: RHEL-07-030530, SV-86753r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings

OVAL details

audit augenrules 32-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eaccess_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+open_by_handle_at[\s]+\|([\s]+\|[,])open_by_handle_at([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 32-bit file eperm passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+open_by_handle_at[\s]+\|([\s]+\|[,])open_by_handle_at([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eaccess passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eaccess_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+open_by_handle_at[\s]+\|([\s]+\|[,])open_by_handle_at([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eperm passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+open_by_handle_at[\s]+\|([\s]+\|[,])open_by_handle_at([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Unauthorized Access Attempts to Files (unsuccessful) - truncate

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80389-0

References: RHEL-07-030540, SV-86755r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings

OVAL details

audit augenrules 32-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eaccess_truncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+truncate[\s]+\|([\s]+\|[,])truncate([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 32-bit file eperm passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+truncate[\s]+\|([\s]+\|[,])truncate([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eaccess passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eaccess_truncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+truncate[\s]+\|([\s]+\|[,])truncate([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eperm passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+truncate[\s]+\|([\s]+\|[,])truncate([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80390-8

References: RHEL-07-030550, SV-86757r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7

Description

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Warnings

OVAL details

audit augenrules 32-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 32-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eaccess passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

audit augenrules 64-bit file eperm passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

audit auditctl 32-bit file eaccess passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eaccess_ftruncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+ftruncate[\s]+\|([\s]+\|[,])ftruncate([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 32-bit file eperm passed because these items were not found:

Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+ftruncate[\s]+\|([\s]+\|[,])ftruncate([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eaccess passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eaccess_ftruncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+ftruncate[\s]+\|([\s]+\|[,])ftruncate([\s]+\|[,])))(?:.-F\s+exit=\-EACCES[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl 64-bit file eperm passed because these items were not found:

Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+ftruncate[\s]+\|([\s]+\|[,])ftruncate([\s]+\|[,])))(?:.-F\s+exit=\-EPERM[\s]+)(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run semanage

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80391-6

References: RHEL-07-030560, SV-86759r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

OVAL details

audit augenrules semanage passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl semanage passed because these items were not found:

Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run setsebool

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80392-4

References: RHEL-07-030570, SV-86761r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

OVAL details

audit augenrules setsebool passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl setsebool passed because these items were not found:

Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run chcon

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80393-2

References: RHEL-07-030580, SV-86763r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

OVAL details

audit augenrules chcon passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl chcon passed because these items were not found:

Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run restorecon

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80394-0

References: RHEL-07-030590, SV-86765r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7

Description

At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

Rationale

OVAL details

audit augenrules restorecon passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl restorecon passed because these items were not found:

Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Ensure auditd Collects Information on the Use of Privileged Commands

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands

Result

fail

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27437-3

References: RHEL-07-030360, SV-86719r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-2(4), AU-6(9), AU-12(a), AU-12(c), IR-5, CCI-002234, SRG-OS-000327-GPOS-00127, Req-10.2.2, 5.2.10, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART:

$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:

-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list:

-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules suid sgid failed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

audit augenrules binaries count matches rules count failed because of these items:

Var ref	Value
oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1	27

audit auditctl suid sgid failed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
/etc/audit/audit.rules	-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

audit auditctl binaries count matches rules count failed because of these items:

Var ref	Value
oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1	27

Remediation Shell script: (show)



# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Function to perform remediation for 'audit_rules_privileged_commands' rule
#
# Expects two arguments:
#
# audit_tool		tool used to load audit rules
# 			One of 'auditctl' or 'augenrules'
#
# min_auid		Minimum original ID the user logged in with
# 			'500' for RHEL-6 and before, '1000' for RHEL-7 and after.
#
# Example Call(s):
#
#      perform_audit_rules_privileged_commands_remediation "auditctl" "500"
#      perform_audit_rules_privileged_commands_remediation "augenrules"	"1000"
#
function perform_audit_rules_privileged_commands_remediation {
#
# Load function arguments into local variables
local tool="$1"
local min_auid="$2"

# Check sanity of the input
if [ $# -ne "2" ]
then
	echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'"
	echo "Aborting."
	exit 1
fi

declare -a files_to_inspect=()

# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
	echo "Unknown audit rules loading tool: $1. Aborting."
	echo "Use either 'auditctl' or 'augenrules'!"
	exit 1
# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
#   missing rules should be inserted
elif [ "$tool" == 'auditctl' ]
then
	files_to_inspect=("/etc/audit/audit.rules")
	output_audit_file="/etc/audit/audit.rules"
#
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
#   (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
#   missing rules should be inserted
elif [ "$tool" == 'augenrules' ]
then
	IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -print))
	output_audit_file="/etc/audit/rules.d/privileged.rules"
fi

# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null))

# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
declare -a sbinaries_to_skip=()

# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do

	# Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
	sbinary_esc=${sbinary//$'/'/$'\/'}
	# Check if this sbinary wasn't already handled in some of the previous iterations
	# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
	if [[ $(sed -ne "/${sbinary_esc}$/p" <<< ${sbinaries_to_skip[@]}) ]]
	then
		# If so, don't process it second time & go to process next sbinary
		continue
	fi

	# Reset the counter of inspected files when starting to check
	# presence of existing audit rule for new sbinary
	local count_of_inspected_files=0

	# Define expected rule form for this binary
	expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged"

	# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
	if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
		echo "$expected_rule" >> "$output_audit_file"
		continue
	fi

	# For each audit rules file from the list of files to be inspected
	for afile in "${files_to_inspect[@]}"
	do

		# Search current audit rules file's content for match. Match criteria:
		# * existing rule is for the same SUID/SGID binary we are currently processing (but
		#   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
		# * existing rule contains all arguments from expected rule form (though can contain
		#   them in arbitrary order)
	
		base_search=$(sed -e "/-a always,exit/!d" -e "/-F path=${sbinary_esc}$/!d"   \
		    		  -e "/-F path=[^[:space:]]\+/!d" -e "/-F perm=.*/!d"       \
				  -e "/-F auid>=${min_auid}/!d" -e "/-F auid!=4294967295/!d"  \
				  -e "/-k privileged/!d" $afile)

		# Increase the count of inspected files for this sbinary
		count_of_inspected_files=$((count_of_inspected_files + 1))

		# Require execute access type to be set for existing audit rule
		exec_access='x'

		# Search current audit rules file's content for presence of rule pattern for this sbinary
		if [[ $base_search ]]
		then

			# Current audit rules file already contains rule for this binary =>
			# Store the exact form of found rule for this binary for further processing
			concrete_rule=$base_search

			# Select all other SUID/SGID binaries possibly also present in the found rule
			IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< $concrete_rule))
			IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/})

			# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
			sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo $i; done | sort -du))

			# Separate concrete_rule into three sections using hash '#'
			# sign as a delimiter around rule's permission section borders
			concrete_rule=$(echo $concrete_rule | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")

			# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
			IFS=$'#' read rule_head rule_perm rule_tail <<<  "$concrete_rule"

			# Extract already present exact access type [r|w|x|a] from rule's permission section
			access_type=${rule_perm//-F perm=/}

			# Verify current permission access type(s) for rule contain 'x' (execute) permission
			if ! grep -q "$exec_access" <<< "$access_type"
			then

				# If not, append the 'x' (execute) permission to the existing access type bits
				access_type="$access_type$exec_access"
				# Reconstruct the permissions section for the rule
				new_rule_perm="-F perm=$access_type"
				# Update existing rule in current audit rules file with the new permission section
				sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" $afile

			fi

		# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
		#
		# * in the "auditctl" mode of operation insert particular rule each time
		#   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
		#
		# * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
		#   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
		#   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
		#
		elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
		then

			# Current audit rules file's content doesn't contain expected rule for this
			# SUID/SGID binary yet => append it
			echo $expected_rule >> $output_audit_file
			continue
		fi

	done

done
}	

perform_audit_rules_privileged_commands_remediation "auditctl" "1000"
perform_audit_rules_privileged_commands_remediation "augenrules" "1000"

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	restrict


- name: Search for privileged commands
  shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat"
  check_mode: no
  register: find_result
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360

# Inserts/replaces the rule in /etc/audit/rules.d

- name: Search /etc/audit/rules.d for audit rule entries
  find:
    paths: "/etc/audit/rules.d"
    recurse: no
    contains: "^.*path={{ item }} .*$"
    patterns: "*.rules"
  with_items:
    - "{{ find_result.stdout_lines }}"
  register: files_result
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
  
- name: Overwrites the rule in rules.d
  lineinfile:
    path: "{{ item.1.path }}"
    line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: no
    regexp: "^.*path={{ item.0.item }} .*$"
  with_subelements:
    - "{{ files_result.results }}"
    - files
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
    
- name: Adds the rule in rules.d
  lineinfile:
    path: /etc/audit/rules.d/privileged.rules
    line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: yes
  with_items:
    - "{{ files_result.results }}"
  when: item.matched == 0
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360
  
# Adds/overwrites the rule in /etc/audit/audit.rules

- name: Inserts/replaces the rule in audit.rules
  lineinfile:
    path: /etc/audit/audit.rules
    line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
    create: yes
    regexp: "^.*path={{ item.item }} .*$"
  with_items:
    - "{{ files_result.results }}"
  tags:
    - audit_rules_privileged_commands
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27437-3
    - NIST-800-53-AC-17(7)
    - NIST-800-53-AU-1(b)
    - NIST-800-53-AU-2(a)
    - NIST-800-53-AU-2(c)
    - NIST-800-53-AU-2(d)
    - NIST-800-53-AU-2(4)
    - NIST-800-53-AU-6(9)
    - NIST-800-53-AU-12(a)
    - NIST-800-53-AU-12(c)
    - NIST-800-53-IR-5
    - NIST-800-171-3.1.7
    - PCI-DSS-Req-10.2.2
    - CJIS-5.4.1.1
    - DISA-STIG-RHEL-07-030360

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80395-7

References: RHEL-07-030630, SV-86773r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules passwd passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl passwd passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80396-5

References: RHEL-07-030640, SV-86775r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules unix_chkpwd passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl unix_chkpwd passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80397-3

References: RHEL-07-030650, SV-86777r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules gpasswd passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl gpasswd passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80398-1

References: RHEL-07-030660, SV-86779r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules chage passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl chage passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80399-9

References: RHEL-07-030670, SV-86781r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules userhelper passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl userhelper passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - su

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80400-5

References: RHEL-07-030680, SV-86783r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules su passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl su passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80401-3

References: RHEL-07-030690, SV-86785r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules sudo passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl sudo passed because these items were not found:

Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80402-1

References: RHEL-07-030730, SV-86793r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules sudoedit passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl sudoedit passed because these items were not found:

Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80403-9

References: RHEL-07-030710, SV-86789r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules newgrp passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl newgrp passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80404-7

References: RHEL-07-030720, SV-86791r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules chsh passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl chsh passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - umount

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80405-4

References: RHEL-07-030750, SV-86797r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules umount passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl umount passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80406-2

References: RHEL-07-030760, SV-86799r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules postdrop passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl postdrop passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80407-0

References: RHEL-07-030770, SV-86801r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules postqueue passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl postqueue passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80408-8

References: RHEL-07-030780, SV-86803r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules ssh_keysign passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl ssh_keysign passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80409-6

References: RHEL-07-030790, SV-86805r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules pt_chown passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl pt_chown passed because these items were not found:

Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80410-4

References: RHEL-07-030800, SV-86807r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules crontab passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl crontab passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80411-2

References: RHEL-07-030810, SV-86809r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7

Description

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Rationale

OVAL details

audit augenrules pam_timestamp_check passed because of these items:

Path	Content
/etc/audit/rules.d/privileged.rules	-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

audit auditctl pam_timestamp_check passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

Ensure auditd Collects File Deletion Events by User - rmdir

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80412-0

References: RHEL-07-030900, SV-86827r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

OVAL details

audit augenrules 32-bit rmdir passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete

audit augenrules 64-bit rmdir passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete

audit auditctl 32-bit rmdir passed because these items were not found:

Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+rmdir[\s]+\|([\s]+\|[,])rmdir([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit rmdir passed because these items were not found:

Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+rmdir[\s]+\|([\s]+\|[,])rmdir([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Ensure auditd Collects File Deletion Events by User - unlink

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27206-2

References: RHEL-07-030910, SV-86829r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete

-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

OVAL details

audit augenrules 32-bit unlink passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete

audit augenrules 64-bit unlink passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete

audit auditctl 32-bit unlink passed because these items were not found:

Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+unlink[\s]+\|([\s]+\|[,])unlink([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit unlink passed because these items were not found:

Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+unlink[\s]+\|([\s]+\|[,])unlink([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Ensure auditd Collects File Deletion Events by User - unlinkat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27206-2

References: RHEL-07-030920, SV-86831r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

OVAL details

audit augenrules 32-bit unlinkat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete

audit augenrules 64-bit unlinkat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete

audit auditctl 32-bit unlinkat passed because these items were not found:

Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+unlinkat[\s]+\|([\s]+\|[,])unlinkat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit unlinkat passed because these items were not found:

Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+unlinkat[\s]+\|([\s]+\|[,])unlinkat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Ensure auditd Collects File Deletion Events by User - rename

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27206-2

References: RHEL-07-030880, SV-86823r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete

-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

OVAL details

audit augenrules 32-bit rename passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete

audit augenrules 64-bit rename passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete

audit auditctl 32-bit rename passed because these items were not found:

Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+rename[\s]+\|([\s]+\|[,])rename([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit rename passed because these items were not found:

Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+rename[\s]+\|([\s]+\|[,])rename([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Ensure auditd Collects File Deletion Events by User - renameat

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80413-8

References: RHEL-07-030890, SV-86825r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7

Description

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

Rationale

OVAL details

audit augenrules 32-bit renameat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

audit augenrules 64-bit renameat passed because of these items:

Path	Content
/etc/audit/rules.d/.rules	-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

audit auditctl 32-bit renameat passed because these items were not found:

Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b32[\s]+)(?:.(-S[\s]+renameat[\s]+\|([\s]+\|[,])renameat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

audit auditctl 64-bit renameat passed because these items were not found:

Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+(?:.-F[\s]+arch=b64[\s]+)(?:.(-S[\s]+renameat[\s]+\|([\s]+\|[,])renameat([\s]+\|[,])))(?:.-F\s+auid>=1000[\s]+)(?:.-F\s+auid!=4294967295[\s]+).(-k[\s]+\|-F[\s]+key=)[\S]+[\s]*$	1

Ensure auditd Collects Information on Kernel Module Loading - init_module

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80414-6

References: RHEL-07-030820, SV-86811r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S init_module -F key=modules

Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.

Rationale

The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules 32-bit init_module passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-a always,exit -F arch=b32 -S init_module -k modules

audit augenrules 64-bit init_module passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-a always,exit -F arch=b64 -S init_module -k modules

audit auditctl 32-bit init_module passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S init_module -k modules

audit auditctl 64-bit init_module passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S init_module -k modules

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80415-3

References: RHEL-07-030830, SV-86813r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-a always,exit -F arch=ARCH -S delete_module -F key=modules

Rationale

The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules 32-bit delete_module passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-a always,exit -F arch=b32 -S delete_module -k modules

audit augenrules 64-bit delete_module passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-a always,exit -F arch=b64 -S delete_module -k modules

audit auditctl 32-bit delete_module passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S delete_module -k modules

audit auditctl 64-bit delete_module passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S delete_module -k modules

Ensure auditd Collects Information on Kernel Module Loading - insmod

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80446-8

References: RHEL-07-030840, SV-86815r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture invocation of insmod, utility used to insert modules into kernel, use the following line:

-w /usr/sbin/insmod -p x -k modules

Rationale

OVAL details

audit augenrules insmod passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-w /usr/sbin/insmod -p x -k modules

audit auditctl insmod passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /usr/sbin/insmod -p x -k modules

Ensure auditd Collects Information on Kernel Module Unloading - rmmod

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80416-1

References: RHEL-07-030850, SV-86817r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture invocation of rmmod, utility used to remove modules from kernel, add the following line:

-w /usr/sbin/rmmod -p x -k modules

Rationale

OVAL details

audit augenrules rmmod passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-w /usr/sbin/rmmod -p x -k modules

audit auditctl rmmod passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /usr/sbin/rmmod -p x -k modules

Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80417-9

References: RHEL-07-030860, SV-86819r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7

Description

To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line:

-w /usr/sbin/modprobe -p x -k modules

Rationale

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

OVAL details

audit augenrules modprobe passed because of these items:

Path	Content
/etc/audit/rules.d/modules.rules	-w /usr/sbin/modprobe -p x -k modules

audit auditctl modprobe passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /usr/sbin/modprobe -p x -k modules

Shutdown System When Auditing Failures Occur

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80381-7

References: RHEL-07-030010, SV-86705r1_rule, AU-5, AU-5(a), CCI-000139, SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023, 3.3.1, 3.3.4

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-f 2

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file:

-f 2

Rationale

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

OVAL details

audit augenrules configuration shutdown passed because of these items:

Path	Content
/etc/audit/rules.d/immutable.rules	-f 2

audit auditctl configuration shutdown passed because of these items:

Path	Content
/etc/audit/audit.rules	-f 2

Record Events that Modify User/Group Information - /etc/group

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80433-6

References: RHEL-07-030871, SV-87817r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

OVAL details

audit augenrules group passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/group -p wa -k audit_rules_usergroup_modification

audit group passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/group -p wa -k audit_rules_usergroup_modification

Record Events that Modify User/Group Information - /etc/gshadow

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80432-8

References: RHEL-07-030872, SV-87819r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Rationale

OVAL details

audit augenrules gshadow passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit gshadow passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

Record Events that Modify User/Group Information - /etc/shadow

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80431-0

References: RHEL-07-030873, SV-87823r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Rationale

OVAL details

audit augenrules shadow passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit shadow passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/shadow -p wa -k audit_rules_usergroup_modification

Record Events that Modify User/Group Information - /etc/passwd

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80435-1

References: RHEL-07-030870, SV-86821r3_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221, 5.4.1.1, 3.1.7

Description

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Rationale

OVAL details

audit augenrules passwd passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit passwd passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/passwd -p wa -k audit_rules_usergroup_modification

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd

Result

pass

Time 2018-04-30T04:25:30

Severity medium

Identifiers and References

Identifiers: CCE-80430-2

References: RHEL-07-030874, SV-87825r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7

Description

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Rationale

OVAL details

audit augenrules opasswd passed because of these items:

Path	Content
/etc/audit/rules.d/audit_rules_usergroup_modification.rules	-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

audit opasswd passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

Ensure auditd Collects Information on Exporting to Media (successful)

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_media_export

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27447-2

References: RHEL-07-030740, SV-86795r3_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000135, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.13, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

Rationale

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

OVAL details

audit augenrules mount 32-bit passed because of these items:

Path	Content
/etc/audit/rules.d/export.rules	-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit augenrules mount 64-bit passed because of these items:

Path	Content
/etc/audit/rules.d/export.rules	-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit auditctl mount 32-bit passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

audit auditctl mount 64-bit passed because of these items:

Path	Content
/etc/audit/audit.rules	-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export

Ensure auditd Collects System Administrator Actions

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions

Result

pass

Time 2018-04-30T04:25:45

Severity low

Identifiers and References

Identifiers: CCE-27461-3

References: RHEL-07-030700, SV-86787r3_rule, AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), iAU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000130, CCI-000135, CCI-000172, CCI-002884, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 5.4.1.1, 3.1.7

Description

At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:

-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

Rationale

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

OVAL details

audit augenrules sudoers passed because of these items:

Path	Content
/etc/audit/rules.d/actions.rules	-w /etc/sudoers -p wa -k actions

audit auditctl sudoers passed because of these items:

Path	Content
/etc/audit/audit.rules	-w /etc/sudoers -p wa -k actions

Enable auditd Service

Rule ID xccdf_org.ssgproject.content_rule_service_auditd_enabled

Result

pass

Time 2018-04-30T04:25:30

Severity high

Identifiers and References

Identifiers: CCE-27407-6

References: RHEL-07-030000, SV-86703r1_rule, AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, CCI-000126, CCI-000131, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, Req-10, 4.1.2, 5.4.1.1, 3.3.1, 3.3.2, 3.3.6

Description

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:

$ sudo systemctl enable auditd.service

Rationale

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

OVAL details

Test that the auditd service is running passed because of these items:

Unit	Property	Value
auditd.service	ActiveState	active

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

Uninstall telnet-server Package

Rule ID xccdf_org.ssgproject.content_rule_package_telnet-server_removed

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-27165-0

References: RHEL-07-021710, SV-86701r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049, 2.1.1

Description

The telnet-server package can be uninstalled with the following command:

$ sudo yum erase telnet-server

Rationale

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.

OVAL details

package telnet-server is removed passed because these items were not found:

Object oval:ssg-obj_package_telnet-server_removed:obj:1 of type rpminfo_object

Name
telnet-server

Uninstall rsh-server Package

Rule ID xccdf_org.ssgproject.content_rule_package_rsh-server_removed

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-27342-5

References: RHEL-07-020000, SV-86591r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049

Description

The rsh-server package can be uninstalled with the following command:

$ sudo yum erase rsh-server

Rationale

The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

OVAL details

package rsh-server is removed passed because these items were not found:

Object oval:ssg-obj_package_rsh-server_removed:obj:1 of type rpminfo_object

Name
rsh-server

Remove Host-Based Authentication Files

Rule ID	xccdf_org.ssgproject.content_rule_no_host_based_files
Result	notchecked
Time	2018-04-30T04:25:45
Severity	high
Identifiers and References	Identifiers: CCE-80513-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040550, SV-86903r1_rule
Description	The `/etc/shosts.equiv` file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm /etc/shosts.equiv
Rationale	The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Evaluation messages info No candidate or applicable check found.

Remove User Host-Based Authentication Files

Rule ID	xccdf_org.ssgproject.content_rule_no_user_host_based_files
Result	notchecked
Time	2018-04-30T04:25:45
Severity	high
Identifiers and References	Identifiers: CCE-80514-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040540, SV-86901r1_rule
Description	The `~/.shosts` (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: $ sudo rm ~/.shosts
Rationale	The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false
Evaluation messages info No candidate or applicable check found.

Uninstall ypserv Package

Rule ID xccdf_org.ssgproject.content_rule_package_ypserv_removed

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-27399-5

References: RHEL-07-020010, SV-86593r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049, 2.2.16

Description

The ypserv package can be uninstalled with the following command:

$ sudo yum erase ypserv

Rationale

The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

OVAL details

package ypserv is removed passed because these items were not found:

Object oval:ssg-obj_package_ypserv_removed:obj:1 of type rpminfo_object

Name
ypserv

Uninstall tftp-server Package

Rule ID xccdf_org.ssgproject.content_rule_package_tftp-server_removed

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-80213-2

References: RHEL-07-040700, SV-86925r1_rule, AC-17(8), CM-6(c), CM-7, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227

Description

The tftp-server package can be removed with the following command:

$ sudo yum erase tftp-server

Rationale

Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.

OVAL details

package tftp-server is removed passed because these items were not found:

Object oval:ssg-obj_package_tftp-server_removed:obj:1 of type rpminfo_object

Name
tftp-server

Ensure tftp Daemon Uses Secure Mode

Rule ID xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80214-0

References: RHEL-07-040720, SV-86929r1_rule, AC-6, AC-17(8), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227

Description

If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default):

server_args = -s /var/lib/tftpboot

Rationale

Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.

OVAL details

tftpd secure mode passed because these items were not found:

Object oval:ssg-object_tftpd_uses_secure_mode:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/xinetd.d/tftp	^[\s]*server_args[\s]+=[\s]+\-s[\s]+.+$	1

Disable KDump Kernel Crash Analyzer (kdump)

Rule ID xccdf_org.ssgproject.content_rule_service_kdump_disabled

Result

fail

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80258-7

References: RHEL-07-021300, SV-86681r1_rule, AC-17(8), CM-7, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00227

Description

The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:

$ sudo systemctl disable kdump.service

Rationale

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.

OVAL details

systemd test failed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

systemd test failed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

Test that the kdump service is not running failed because of these items:

Unit	Property	Value
kdump.service	ActiveState	active

Remediation Shell script: (show)

Complexity:	low
Disruption:	low
Strategy:	disable

# Function to enable/disable and start/stop services on RHEL and Fedora systems.
#
# Example Call(s):
#
#     service_command enable bluetooth
#     service_command disable bluetooth.service
#
#     Using xinetd:
#     service_command disable rsh.socket xinetd=rsh
#
function service_command {

# Load function arguments into local variables
local service_state=$1
local service=$2
local xinetd=$(echo $3 | cut -d'=' -f2)

# Check sanity of the input
if [ $# -lt "2" ]
then
  echo "Usage: service_command 'enable/disable' 'service_name.service'"
  echo
  echo "To enable or disable xinetd services add \'xinetd=service_name\'"
  echo "as the last argument"  
  echo "Aborting."
  exit 1
fi

# If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands
if [ -f "/usr/bin/systemctl" ] ; then
  service_util="/usr/bin/systemctl"
else
  service_util="/sbin/service"
  chkconfig_util="/sbin/chkconfig"
fi

# If disable is not specified in arg1, set variables to enable services.
# Otherwise, variables are to be set to disable services.
if [ "$service_state" != 'disable' ] ; then
  service_state="enable"
  service_operation="start"
  chkconfig_state="on"
else
  service_state="disable"
  service_operation="stop"
  chkconfig_state="off"
fi

# If chkconfig_util is not empty, use chkconfig/service commands.
if [ "x$chkconfig_util" != x ] ; then
  $service_util $service $service_operation
  $chkconfig_util --level 0123456 $service $chkconfig_state
else
  $service_util $service_operation $service
  $service_util $service_state $service
  # The service may not be running because it has been started and failed,
  # so let's reset the state so OVAL checks pass.
  # Service should be 'inactive', not 'failed' after reboot though.
  $service_util reset-failed $service
fi

# Test if local variable xinetd is empty using non-bashism.
# If empty, then xinetd is not being used.
if [ "x$xinetd" != x ] ; then
  grep -qi disable /etc/xinetd.d/$xinetd && \

  if [ "$service_operation" = 'disable' ] ; then
    sed -i "s/disable.*/disable         = no/gI" /etc/xinetd.d/$xinetd
  else
    sed -i "s/disable.*/disable         = yes/gI" /etc/xinetd.d/$xinetd
  fi
fi

}

service_command disable kdump

Remediation Ansible snippet: (show)

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Disable service kdump
  service:
    name="{{item}}"
    enabled="no"
    state="stopped"
  with_items:
    - kdump
  tags:
    - service_kdump_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - CCE-80258-7
    - NIST-800-53-AC-17(8)
    - NIST-800-53-CM-7
    - NIST-800-53-CM-6(b)
    - DISA-STIG-RHEL-07-021300

Verify User Who Owns /etc/cron.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_owner_cron_allow

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80378-3

References: RHEL-07-021110, SV-86677r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command:

$ sudo chown root /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing user ownership of /etc/cron.allow passed because these items were not found:

Object oval:ssg-object_file_etc_cron_allow:obj:1 of type file_object

Filepath
/etc/cron.allow

State oval:ssg-state_etc_cron_allow_uid_root:ste:1 of type file_state

User id
0

Verify Group Who Owns /etc/cron.allow file

Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80379-1

References: RHEL-07-021120, SV-86679r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command:

$ sudo chgrp root /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

OVAL details

Testing group ownership /etc/cron.allow passed because these items were not found:

Object oval:ssg-object_groupowner_cron_allow_file:obj:1 of type file_object

Filepath
/etc/cron.allow

State oval:ssg-state_groupowner_cron_allow_file:ste:1 of type file_state

Group id
0

Allow Only SSH Protocol 2

Rule ID xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-27320-1

References: RHEL-07-040390, SV-86875r2_rule, AC-17(8).1(ii), IA-5(1)(c), CCI-000197, CCI-000366, 5.2.2, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.13, 3.5.4

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears:

Protocol 2

Rationale

SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

Warnings

warning As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line

Protocol 2

in /etc/ssh/sshd_config is not necessary.

OVAL details

sshd uses protocol 2 passed because these items were not found:

Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)Protocol[\s]+2[\s](?:\|(?:#.*))?$	1

Disable GSSAPI Authentication

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80220-7

References: RHEL-07-040430, SV-86883r2_rule, CM-6(c), CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000364-GPOS-00151, 3.1.12

Description

Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file:

GSSAPIAuthentication no

Rationale

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

OVAL details

tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	GSSAPIAuthentication no

Disable Kerberos Authentication

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80221-5

References: RHEL-07-040440, SV-86885r2_rule, CM-6(c), CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000364-GPOS-00151, 3.1.12

Description

Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file:

KerberosAuthentication no

Rationale

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

OVAL details

tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	KerberosAuthentication no # Per CCE-CCE-80222-3: Set StrictModes yes in /etc/ssh/sshd_config

Enable Use of Strict Mode Checking

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80222-3

References: RHEL-07-040450, SV-86887r2_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:

StrictModes yes

Rationale

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

OVAL details

tests the value of StrictModes setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	StrictModes yes # Per CCE-CCE-80223-1: Set UsePrivilegeSeparation sandbox in /etc/ssh/sshd_config

Enable Use of Privilege Separation

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_priv_separation

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80223-1

References: RHEL-07-040460, SV-86889r2_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file:

UsePrivilegeSeparation sandbox

Rationale

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.

OVAL details

tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	UsePrivilegeSeparation sandbox # Per CCE-CCE-80224-9: Set Compression no in /etc/ssh/sshd_config

Disable Compression Or Set Compression to delayed

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_compression

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80224-9

References: RHEL-07-040470, SV-86891r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:

Compression no

Compression delayed

Rationale

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges.

OVAL details

tests the value of Compression setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	Compression no # Per CCE-CCE-80225-6: Set PrintLastLog yes in /etc/ssh/sshd_config

Print Last Log

Rule ID xccdf_org.ssgproject.content_rule_sshd_print_last_log

Result

pass

Time 2018-04-30T04:25:45

Severity low

Identifiers and References

Identifiers: CCE-80225-6

References: RHEL-07-040360, SV-86869r2_rule, AC-9, CCI-000366, SRG-OS-000480-GPOS-00227

Description

When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:

PrintLastLog yes

Rationale

Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.

OVAL details

tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	PrintLastLog yes # Per CCE-CCE-27433-2: Set ClientAliveInterval 600 in /etc/ssh/sshd_config

Set SSH Idle Timeout Interval

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout

Result

pass

Time 2018-04-30T04:25:45

Severity low

Identifiers and References

Identifiers: CCE-27433-2

References: RHEL-07-040320, SV-86861r2_rule, AC-2(5), SA-8(i), AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, Req-8.1.8, 5.2.12, 5.5.6, 3.1.11

Description

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval interval

The timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

OVAL details

timeout is configured passed because of these items:

Path	Content
/etc/ssh/sshd_config	ClientAliveInterval 600 # Per CCE-CCE-27082-7: Set ClientAliveCountMax 0 in /etc/ssh/sshd_config

Set SSH Client Alive Count

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_keepalive

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27082-7

References: RHEL-07-040340, SV-86865r2_rule, AC-2(5), SA-8, AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, 5.2.12, 5.5.6, 3.1.11

Description

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0

Rationale

This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached.

OVAL details

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	ClientAliveCountMax 0 # Per CCE-CCE-80372-6: Set IgnoreUserKnownHosts yes in /etc/ssh/sshd_config

Disable SSH Support for .rhosts Files

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_rhosts

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27377-1

References: RHEL-07-040350, SV-86867r2_rule, AC-3, CM-6(a), CCI-000366, 5.2.6, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.12

Description

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

Tests the value of the IgnoreRhosts[\s](<:nocomment:>) setting in the /etc/ssh/sshd_config file passed because these items were not found:

Object oval:ssg-obj_sshd_rsh_emulation_disabled:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)IgnoreRhosts(?-i)[\s]+no[\s](?:\|(?:#.*))?$	1

Disable SSH Support for User Known Hosts

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80372-6

References: RHEL-07-040380, SV-86873r2_rule, CM-6(a), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

IgnoreUserKnownHosts yes

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

Tests the value of the IgnoreUserKnownHosts[\s](<:nocomment:>) setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	IgnoreUserKnownHosts yes

Disable SSH Support for Rhosts RSA Authentication

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80373-4

References: RHEL-07-040330, SV-86863r2_rule, CM-6(a), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12

Description

SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

RhostsRSAAuthentication no

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere.

Warnings

warning As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line

RhostsRSAAuthentication no

in /etc/ssh/sshd_config is not necessary.

OVAL details

Tests the value of the RhostsRSAAuthentication[\s](<:nocomment:>) setting in the /etc/ssh/sshd_config file passed because these items were not found:

Object oval:ssg-obj_sshd_disable_rhosts_rsa:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)RhostsRSAAuthentication(?-i)[\s]+no[\s](?:\|(?:#.*))?$	1

Disable Host-Based Authentication

Rule ID xccdf_org.ssgproject.content_rule_disable_host_auth

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27413-4

References: RHEL-07-010470, SV-86583r2_rule, AC-3, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.2.7, 5.5.6, 3.1.12

Description

SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:

HostbasedAuthentication no

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL details

sshd HostbasedAuthentication passed because these items were not found:

Object oval:ssg-object_sshd_hostbasedauthentication:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)HostbasedAuthentication(?-i)[\s]+yes[\s](?:\|(?:#.*))?$	1

Enable Encrypted X11 Forwarding

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-80226-4

References: RHEL-07-040710, SV-86927r2_rule, CM-2(1)(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 5.2.4

Description

By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:

X11Forwarding yes

Rationale

Open X displays allow an attacker to capture keystrokes and to execute commands remotely.

OVAL details

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	X11Forwarding yes #X11DisplayOffset 10

Disable SSH Root Login

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_root_login

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27445-6

References: RHEL-07-040370, SV-86871r2_rule, AC-3, AC-6(2), IA-2(1), IA-2(5), CCI-000366, SRG-OS-000480-GPOS-00227, 5.2.8, 5.5.6, 3.1.1, 3.1.5

Description

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:

PermitRootLogin no

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

OVAL details

Tests the value of the PermitRootLogin[\s](<:nocomment:>) setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	PermitRootLogin no # Per CCE-CCE-27471-2: Set PermitEmptyPasswords no in /etc/ssh/sshd_config

Disable SSH Access via Empty Passwords

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-27471-2

References: RHEL-07-010300, SV-86563r2_rule, AC-3, AC-6, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.5.6, 3.1.1, 3.1.5, 5.2.9

Description

To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

Tests the value of the PermitEmptyPasswords[\s](<:nocomment:>) setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	PermitEmptyPasswords no # Per CCE-CCE-27314-4: Set Banner /etc/issue in /etc/ssh/sshd_config

Enable SSH Warning Banner

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27314-4

References: RHEL-07-040170, SV-86849r2_rule, AC-8(a), AC-8(b), AC-8(c)(1), AC-8(c)(2), AC-8(c)(3), CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, 5.2.16, 5.5.6, 3.1.9

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:

Banner /etc/issue

Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

OVAL details

Tests the value of the Banner[\s]+/etc/issue setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	Banner /etc/issue # Per CCE-CCE-27363-1: Set PermitUserEnvironment no in /etc/ssh/sshd_config

Do Not Allow SSH Environment Options

Rule ID xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27363-1

References: RHEL-07-010460, SV-86581r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.2.10, 5.5.6, 3.1.12

Description

To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config:

PermitUserEnvironment no

Rationale

SSH environment options potentially allow users to bypass access restriction in some configurations.

OVAL details

Check value of PermitUserEnvironment in /etc/ssh/sshd_config passed because of these items:

Path	Content
/etc/ssh/sshd_config	PermitUserEnvironment no # Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config

Use Only FIPS 140-2 Validated Ciphers

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27295-5

References: RHEL-07-040110, SV-86845r2_rule, AC-3, AC-17(2), AU-10(5), CM-6(b), IA-5(1)(c), IA-7, CCI-000068, CCI-000366, CCI-000803, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, 5.2.10, 5.5.6, 3.1.13, 3.13.11, 3.13.8

Description

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

The following ciphers are FIPS 140-2 certified on RHEL 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

Rationale

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.

OVAL details

tests the value of Ciphers setting in the /etc/ssh/sshd_config file passed because of these items:

Path	Content
/etc/ssh/sshd_config	Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc # Per CCE-CCE-27455-5: Set MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com in /etc/ssh/sshd_config

Use Only FIPS 140-2 Validated MACs

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_approved_macs

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27455-5

References: RHEL-07-040400, SV-86877r2_rule, AC-17(2), IA-7, SC-13, CCI-001453, SRG-OS-000250-GPOS-00093, 3.1.13, 3.13.11, 3.13.8, 5.2.12

Description

Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs:

MACs hmac-sha2-512,hmac-sha2-256

Only the following message authentication codes are FIPS 140-2 certified on RHEL 7:
- hmac-sha1
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com

Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

Rationale

DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.

OVAL details

tests the value of MACs setting in the /etc/ssh/sshd_config file passed because of these items:

Var ref	Value	Value	Value	Value	Value	Value
oval:ssg-var_sshd_config_macs:var:1	hmac-sha2-512	hmac-sha2-256	hmac-sha1	hmac-sha1-etm@openssh.com	hmac-sha2-256-etm@openssh.com	hmac-sha2-512-etm@openssh.com

Install the OpenSSH Server Package

Rule ID xccdf_org.ssgproject.content_rule_package_openssh-server_installed

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80215-7

References: RHEL-07-040300, SV-86857r1_rule, SC-8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190

Description

The openssh-server package should be installed. The openssh-server package can be installed with the following command:

$ sudo yum install openssh-server

Rationale

Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

OVAL details

package openssh-server is installed passed because of these items:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	16.el7	7.4p1	0:7.4p1-16.el7	199e2f91fd431d51	openssh-server-0:7.4p1-16.el7.x86_64

Enable the OpenSSH Service

Rule ID xccdf_org.ssgproject.content_rule_service_sshd_enabled

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80216-5

References: RHEL-07-040310, SV-86859r2_rule, SC-8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190, 3.1.13, 3.5.4, 3.13.8

Description

The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:

$ sudo systemctl enable sshd.service

Rationale

Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

OVAL details

Test that the sshd service is running passed because of these items:

Unit	Property	Value
sshd.service	ActiveState	active
sshd.socket	ActiveState	inactive

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

systemd test passed because of these items:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	systemd-machine-id-commit.service	cryptsetup.target	systemd-journal-flush.service	dev-mqueue.mount	systemd-journald.service	sys-kernel-config.mount	local-fs.target	home.mount	var.mount	var-log-audit.mount	-.mount	tmp.mount	boot.mount	rhel-readonly.service	systemd-remount-fs.service	systemd-firstboot.service	dev-hugepages.mount	rhel-loadmodules.service	systemd-udev-trigger.service	systemd-binfmt.service	sys-kernel-debug.mount	systemd-update-utmp.service	systemd-udevd.service	systemd-tmpfiles-setup.service	kmod-static-nodes.service	systemd-sysctl.service	sys-fs-fuse-connections.mount	systemd-ask-password-console.path	lvm2-lvmpolld.socket	rhel-autorelabel.service	plymouth-read-write.service	swap.target	systemd-update-done.service	systemd-vconsole-setup.service	systemd-random-seed.service	lvm2-monitor.service	systemd-tmpfiles-setup-dev.service	plymouth-start.service	lvm2-lvmetad.socket	proc-sys-fs-binfmt_misc.automount	rhel-domainname.service	systemd-journal-catalog-update.service	systemd-hwdb-update.service	systemd-modules-load.service	rhel-import-state.service	microcode.service	rhel-dmesg.service	selinux-policy-migrate-local-changes@targeted.service	slices.target	-.slice	system.slice	paths.target	sockets.target	dm-event.socket	dbus.socket	pcscd.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	systemd-shutdownd.socket	systemd-udevd-kernel.socket	timers.target	systemd-tmpfiles-clean.timer	rhel-configure.service	irqbalance.service	postfix.service	systemd-user-sessions.service	tuned.service	plymouth-quit-wait.service	dbus.service	rsyslog.service	kdump.service	systemd-readahead-replay.service	brandbot.path	systemd-ask-password-wall.path	network.service	remote-fs.target	rhnsd.service	rhsmcertd.service	plymouth-quit.service	firewalld.service	sshd.service	crond.service	NetworkManager.service	getty.target	getty@tty1.service	systemd-update-utmp-runlevel.service	chronyd.service	auditd.service	systemd-readahead-collect.service	systemd-logind.service

Verify Permissions on SSH Server Public *.pub Key Files

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27311-0

References: RHEL-07-040410, SV-86879r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 3.13.10

Description

To properly set the permissions of /etc/ssh/*.pub, run the command:

$ sudo chmod 0644 /etc/ssh/*.pub

Rationale

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

OVAL details

Testing file permissions passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/ssh/ssh_host_ecdsa_key.pub	regular	0	0	162	`rw-r--r--`
/etc/ssh/ssh_host_rsa_key.pub	regular	0	0	382	`rw-r--r--`

Verify Permissions on SSH Server Private *_key Key Files

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27485-2

References: RHEL-07-040420, SV-86881r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 3.13.10

Description

To properly set the permissions of /etc/ssh/*_key, run the command:

$ sudo chmod 0640 /etc/ssh/*_key

Rationale

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

OVAL details

Testing file permissions passed because of these items:

Path	Type	UID	GID	Size (B)	Permissions
/etc/ssh/ssh_host_rsa_key	regular	0	997	1675	`rw-r-----`
/etc/ssh/ssh_host_ecdsa_key	regular	0	997	227	`rw-r-----`

Configure SSSD LDAP Backend Client CA Certificate

Rule ID	xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca
Result	notchecked
Time	2018-04-30T04:25:45
Severity	medium
Identifiers and References	Identifiers: CCE-80516-8 References: CCI-001453, SRG-OS-000250-GPOS-00093, RHEL-07-040200, SV-86855r2_rule
Description	Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacert option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacert /path/to/tls/ca.cert
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
Evaluation messages info No candidate or applicable check found.

Configure SSSD LDAP Backend Client CA Certificate Location

Rule ID	xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
Result	notchecked
Time	2018-04-30T04:25:45
Severity	medium
Identifiers and References	Identifiers: CCE-80515-0 References: CCI-001453, SRG-OS-000250-GPOS-00093, RHEL-07-040190, SV-86853r2_rule
Description	Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacertdir /path/to/tls/cacert
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.
Evaluation messages info No candidate or applicable check found.

Configure PAM in SSSD Services

Rule ID xccdf_org.ssgproject.content_rule_sssd_enable_pam_services

Result

fail

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80437-7

References: RHEL-07-041002, SV-87051r2_rule, IA-2(11), CCI-001948, CCI-001953, CCI-001954, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162

Description

SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example:

[sssd]
services = sudo, autofs, pam

Rationale

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

OVAL details

check if pam is configured in the services setting of the sssd section failed because these items were missing:

Object oval:ssg-obj_sssd_enable_pam_services:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sssd/sssd.conf	^[\s]\[sssd]([^\n\[\]]\n+)+?[\s]services.pam.*$	1

Remediation Shell script: (show)



SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$"
SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$"
SSSD_PAM_SERVICES="[sssd]
services = pam"
SSSD_CONF="/etc/sssd/sssd.conf"

# If there is services line with pam, good
# If there is services line without pam, append pam
# If not echo services line with pam
grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \
	grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \
	sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \
	echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF

Remove the X Windows Package Group

Rule ID xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27218-7

References: RHEL-07-040730, SV-86931r2_rule, AC-17(8).1(ii), CCI-000366, 2.2.2, SRG-OS-000480-GPOS-00227

Description

By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:

$ sudo yum groupremove "X Window System"

$ sudo yum remove xorg-x11-server-common

Rationale

Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.

OVAL details

package xorg-x11-server-common is removed passed because these items were not found:

Object oval:ssg-obj_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object

Name
xorg-x11-server-common

Configure Time Service Maxpoll Interval

Rule ID xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll

Result

fail

Time 2018-04-30T04:25:45

Severity low

Identifiers and References

Identifiers: CCE-80439-3

References: RHEL-07-040500, SV-86893r2_rule, AU-8(1)(a), CCI-001891, CCI-002046, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144

Description

The maxpoll should be configured to 10 in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following:

maxpoll 10

Rationale

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.

OVAL details

check if maxpoll is set in /etc/ntp.conf failed because these items were missing:

Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ntp.conf	^server[\s]+[\S]+.*maxpoll[\s]+(\d+)	1

State oval:ssg-state_time_service_set_maxpoll:ste:1 of type textfilecontent54_state

Subexpression
10

check if all server entries have maxpoll set in /etc/ntp.conf failed because these items were missing:

Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ntp.conf	^server[\s]+[\S]+[\s]+(.*)	1

State oval:ssg-state_server_has_maxpoll:ste:1 of type textfilecontent54_state

Subexpression
maxpoll \d+

check if maxpoll is set in /etc/chrony.conf failed because of these items:

Path	Content
/etc/chrony.conf	server 0.rhel.pool.ntp.org iburst1 maxpoll 10
/etc/chrony.conf	server 1.rhel.pool.ntp.org iburst1 maxpoll 10
/etc/chrony.conf	server 2.rhel.pool.ntp.org iburst1 maxpoll 10
/etc/chrony.conf	server 3.rhel.pool.ntp.org iburst1 maxpoll 10

check if all server entries have maxpoll set in /etc/chrony.conf failed because of these items:

Path	Content
/etc/chrony.conf	server 0.rhel.pool.ntp.org iburst1 maxpoll 10
/etc/chrony.conf	server 1.rhel.pool.ntp.org iburst1 maxpoll 10
/etc/chrony.conf	server 2.rhel.pool.ntp.org iburst1 maxpoll 10
/etc/chrony.conf	server 3.rhel.pool.ntp.org iburst1 maxpoll 10

Remediation Shell script: (show)


var_time_service_set_maxpoll="10"

if ! [ `/usr/sbin/pidof ntpd` ] ; then
    config_file="/etc/chrony.conf"
else
    config_file="/etc/ntp.conf"
fi

# Set maxpoll values to var_time_service_set_maxpoll
sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"

# Add maxpoll to server entries without maxpoll
grep -P "^server((?!maxpoll).)*$" $config_file | while read -r line ; do
        sed -i "s/$line/&1 maxpoll $var_time_service_set_maxpoll/" "$config_file"
done

Prevent Unrestricted Mail Relaying

Rule ID	xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
Result	notchecked
Time	2018-04-30T04:25:45
Severity	medium
Identifiers and References	Identifiers: CCE-80512-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040680, SV-86921r2_rule
Description	Modify the /etc/postfix/main.cf file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
Rationale	If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
Evaluation messages info No candidate or applicable check found.

Configure LDAP Client to Use TLS For All Transactions

Rule ID xccdf_org.ssgproject.content_rule_ldap_client_start_tls

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80291-8

References: RHEL-07-040180, SV-86851r2_rule, AC-17(2), CM-7, CCI-001453, SRG-OS-000250-GPOS-00093

Description

This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command:

$ sudo grep -i useldapauth /etc/sysconfig/authconfig

If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command:

$ sudo grep -i ssl /etc/pam_ldap.conf

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

OVAL details

Tests the value of the ssl start_tls setting in the /etc/nslcd.conf file passed because of these items:

Path	Content
/etc/nslcd.conf	ssl start_tls

Mount Remote Filesystems with nosuid

Rule ID xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80240-5

References: RHEL-07-021020, SV-86669r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

OVAL details

no nfs passed because these items were not found:

Object oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^\s\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.$	0

all nfs has nosuid passed because these items were not found:

Object oval:ssg-object_nfs_nosuid_etc_fstab:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^\s\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.)$	0

State oval:ssg-state_remote_filesystem_nosuid:ste:1 of type textfilecontent54_state

Subexpression
^.nosuid.$

Mount Remote Filesystems with noexec

Rule ID xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-80436-9

References: RHEL-07-021021, SV-87813r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Description

Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

OVAL details

no nfs passed because these items were not found:

Object oval:ssg-object_no_nfs_defined_etc_fstab_noexec:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^\s\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.$	0

all nfs has noexec passed because these items were not found:

Object oval:ssg-object_nfs_noexec_etc_fstab:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^\s\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.)$	0

State oval:ssg-state_remote_filesystem_noexec:ste:1 of type textfilecontent54_state

Subexpression
^.noexec.$

Mount Remote Filesystems with Kerberos Security

Rule ID xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems

Result

pass

Time 2018-04-30T04:25:45

Severity medium

Identifiers and References

Identifiers: CCE-27458-9

References: RHEL-07-040750, SV-86935r3_rule, AC-14(1), CCI-000366, SRG-OS-000480-GPOS-00227

Description

Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

OVAL details

no nfs passed because these items were not found:

Object oval:ssg-object_no_nfs_defined_etc_fstab_krb_sec:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^\s\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.$	0

all nfs has krb_sec passed because these items were not found:

Object oval:ssg-object_nfs_krb_sec_etc_fstab:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/fstab	^\s\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.)$	0

State oval:ssg-state_remote_filesystem_krb_sec:ste:1 of type textfilecontent54_state

Subexpression
^.sec=krb5:krb5i:krb5p.$

Uninstall vsftpd Package

Rule ID xccdf_org.ssgproject.content_rule_package_vsftpd_removed

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-80245-4

References: RHEL-07-040690, SV-86923r1_rule, CM-6(b), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227

Description

The vsftpd package can be removed with the following command:

$ sudo yum erase vsftpd

Rationale

Removing the vsftpd package decreases the risk of its accidental activation.

OVAL details

package vsftpd is removed passed because these items were not found:

Object oval:ssg-obj_package_vsftpd_removed:obj:1 of type rpminfo_object

Name
vsftpd

Ensure Default SNMP Password Is Not Used

Rule ID xccdf_org.ssgproject.content_rule_snmpd_not_default_password

Result

pass

Time 2018-04-30T04:25:45

Severity high

Identifiers and References

Identifiers: CCE-27386-2

References: RHEL-07-040800, SV-86937r1_rule, IA-5.1(ii), CCI-000366, SRG-OS-000480-GPOS-00227

Description

Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service:

$ sudo service snmpd restart

Rationale

Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s).

OVAL details

Check snmpd configuration passed because these items were not found:

Object oval:ssg-object_snmp_default_communities:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/snmp/snmpd.conf	^[\s](com2se\|rocommunity\|rwcommunity\|createUser).(public\|private)	1

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.