Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile DISA STIG for Red Hat Enterprise Linux 7This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V1R1. In addition to being applicable to RHEL7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based off RHEL7, such as RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat Storage deployments.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
Evaluation target | localhost.localdomain |
---|---|
Benchmark URL | /tmp/tmp.fydmkfIgO8/input.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-7 |
Profile ID | xccdf_org.ssgproject.content_profile_stig-rhel7-disa |
Started at | 2018-04-30T11:13:31 |
Finished at | 2018-04-30T11:15:09 |
Performed by | root |
CPE Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Addresses
- IPv4 127.0.0.1
- IPv4 192.168.122.162
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:5054:ff:fe40:5f9e
- MAC 00:00:00:00:00:00
- MAC 52:54:00:40:5F:9E
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 93.277359 | 100.000000 |
Rule Overview
Result Details
Ensure /tmp Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27173-4 References: RHEL-07-021340, SV-86689r1_rule, SC-32(1), CCI-000366, SRG-OS-000480-GPOS-00227, 1.1.2 | ||||||||||||||||||||||||||||
Description |
The | ||||||||||||||||||||||||||||
Rationale |
The | ||||||||||||||||||||||||||||
OVAL details /tmp on own partition passed because of these items:
|
Ensure /var Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-26404-4 References: RHEL-07-021320, SV-86685r1_rule, SC-32(1), 1.1.6, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||
Description | The | ||||||||||||||||||||||||||||
Rationale |
Ensuring that | ||||||||||||||||||||||||||||
OVAL details /var on own partition passed because of these items:
|
Ensure /var/log/audit Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-26971-2 References: RHEL-07-021330, SV-86687r3_rule, AU-4, AU-9, SC-32(1), CCI-000366, 1.1.12, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||
Description |
Audit logs are stored in the | ||||||||||||||||||||||||||||
Rationale |
Placing | ||||||||||||||||||||||||||||
OVAL details /var/log/audit on own partition passed because of these items:
|
Ensure /home Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80144-9 References: RHEL-07-021310, SV-86683r1_rule, SC-32(1), CCI-000366, CCI-001208, 1.1.13, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||
Description |
If user home directories will be stored locally, create a separate partition
for | ||||||||||||||||||||||||||||||
Rationale |
Ensuring that | ||||||||||||||||||||||||||||||
OVAL details /home on own partition passed because of these items:
|
Ensure gpgcheck Enabled In Main Yum Configuration
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | ||||||||||
Result | pass | ||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||
Severity | high | ||||||||||
Identifiers and References | Identifiers: CCE-26989-4 References: RHEL-07-020050, SV-86601r1_rule, CM-5(3), SI-7, MA-1(b), CCI-001749, SRG-OS-000366-GPOS-00153, Req-6.2, 1.2.2, 5.10.4.1, 3.4.8 | ||||||||||
Description | The gpgcheck=1 | ||||||||||
Rationale |
Changes to any software components can have significant effects on the overall security
of the operating system. This requirement ensures the software has not been tampered with
and that it has been provided by a trusted vendor.
| ||||||||||
OVAL details check value of gpgcheck in /etc/dnf/dnf.conf passed because these items were not found:Object oval:ssg-object_dnf_ensure_gpgcheck_globally_activated:obj:1 of type textfilecontent54_object
check value of gpgcheck in /etc/yum.conf passed because of these items:
|
Ensure Software Patches Installed
Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
Result | notchecked |
Time | 2018-04-30T11:13:33 |
Severity | high |
Identifiers and References | Identifiers: CCE-26895-3 References: RHEL-07-020260, SV-86623r3_rule, SI-2, SI-2(c), MA-1(b), CCI-000366, Req-6.2, 1.8, SRG-OS-000480-GPOS-00227, 5.10.4.1 |
Description | If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm .
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
Rationale | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. |
Ensure YUM Removes Previous Package Versions
Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating | ||||
Result | pass | ||||
Time | 2018-04-30T11:13:33 | ||||
Severity | low | ||||
Identifiers and References | Identifiers: CCE-80346-0 References: RHEL-07-020200, SV-86611r1_rule, SI-2(6), CCI-002617, SRG-OS-000437-GPOS-00194, 3.4.8 | ||||
Description |
| ||||
Rationale | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. | ||||
OVAL details check value of clean_requirements_on_remove in /etc/yum.conf passed because of these items:
|
Ensure gpgcheck Enabled for Local Packages
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||
Result | pass | ||||
Time | 2018-04-30T11:13:33 | ||||
Severity | high | ||||
Identifiers and References | Identifiers: CCE-80347-8 References: RHEL-07-020060, SV-86603r1_rule, CM-5(3), CCI-001749, SRG-OS-000366-GPOS-00153, 3.4.8 | ||||
Description |
| ||||
Rationale |
Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
| ||||
OVAL details check value of localpkg_gpgcheck in /etc/yum.conf passed because of these items:
|
Install AIDE
Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27096-7 References: CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 1.3.1, 5.10.1.3 | ||||||||||||||||
Description | Install the AIDE package with the command: $ sudo yum install aide | ||||||||||||||||
Rationale | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||
OVAL details package aide is installed passed because of these items:
|
Configure Periodic Execution of AIDE
Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-26952-2 References: RHEL-07-020030, SV-86597r1_rule, CM-3(d), CM-3(e), CM-3(5), CM-6(d), CM-6(3), SC-28, SI-7, CCI-001744, Req-11.5, 1.3.2, SRG-OS-000363-GPOS-00150, 5.10.1.3 | ||||||||||||||||||||||||||||
Description |
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to 05 4 * * * root /usr/sbin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * 0 root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. | ||||||||||||||||||||||||||||
Rationale |
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
| ||||||||||||||||||||||||||||
OVAL details run aide daily with cron passed because of these items:
run aide daily with cron passed because these items were not found:Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
run aide daily with cron passed because these items were not found:Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
run aide daily with cron.(daily|weekly|monthly) passed because these items were not found:Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
|
Configure Notification of Post-AIDE Scan Details
Rule ID | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||
Result | pass | ||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||
Severity | medium | ||||||||||||||||||
Identifiers and References | Identifiers: CCE-80374-2 References: RHEL-07-020040, SV-86599r1_rule, CM-3(5), CCI-001744, SRG-OS-000363-GPOS-00150 | ||||||||||||||||||
Description |
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostOtherwise, add the following line to /etc/crontab :
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostAIDE can be executed periodically through other means; this is merely one example. | ||||||||||||||||||
Rationale |
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
| ||||||||||||||||||
OVAL details notify personnel when aide completes passed because of these items:
notify personnel when aide completes passed because these items were not found:Object oval:ssg-object_aide_var_cron_notification:obj:1 of type textfilecontent54_object
notify personnel when aide completes in cron.(daily|weekly|monthly) passed because these items were not found:Object oval:ssg-object_aide_crontabs_notification:obj:1 of type textfilecontent54_object
|
Configure AIDE to Verify Access Control Lists (ACLs)
Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_acls | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80375-9 References: RHEL-07-021600, SV-86693r2_rule, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||
Description |
By default, the FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. | ||||||||||||||||
Rationale | ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. | ||||||||||||||||
OVAL details acl is set in /etc/aide.conf passed because of these items:
|
Configure AIDE to Verify Extended Attributes
Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80376-7 References: RHEL-07-021610, SV-86695r2_rule, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||
Description |
By default, the FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. | ||||||||||||||||
Rationale | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. | ||||||||||||||||
OVAL details xattrs is set in /etc/aide.conf passed because of these items:
|
Configure AIDE to Use FIPS 140-2 for Validating Hashes
Rule ID | xccdf_org.ssgproject.content_rule_aide_use_fips_hashes | ||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||
Time | 2018-04-30T11:13:33 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80377-5 References: RHEL-07-021620, SV-86697r2_rule, SI-7(1), CCI-000366, SRG-OS-000480-GPOS-00227, 3.13.11 | ||||||||||||||||||||||||
Description |
By default, the NORMAL = FIPSR+sha512AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. | ||||||||||||||||||||||||
Rationale | File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. | ||||||||||||||||||||||||
OVAL details Verify non-FIPS hashes are not configured in /etc/aide.conf passed because these items were not found:Object oval:ssg-object_aide_non_fips_hashes:obj:1 of type textfilecontent54_object
Verify FIPS hashes are configured in /etc/aide.conf passed because of these items:
|
Verify and Correct Ownership with RPM
Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:13:46 | ||||||||||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80545-7 References: RHEL-07-TBD, AC-6, AU-9(1), AU-9(3), CM-6(d), CM-6(3), CCI-001494, CCI-001496, Req-11.5, 1.2.6, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.3, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 5.10.4.1, 3.3.8, 3.4.1 | ||||||||||||||||||||||||||||||||
Description | The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | grep "^.....\(U\|.G\)"run the following command to determine which package owns it: $ rpm -qf FILENAMENext, run the following command to reset its permissions to the correct values: $ sudo rpm --setugids PACKAGENAME | ||||||||||||||||||||||||||||||||
Rationale | Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note: Due to a bug in the gdm package, the
RPM verify command may continue to fail even after file permissions have been
correctly set on /var/log/gdm . This is being tracked in Red Hat
Bugzilla #1275532.
| ||||||||||||||||||||||||||||||||
OVAL details user ownership of all files matches local rpm database passed because these items were not found:Object oval:ssg-object_files_fail_user_ownership:obj:1 of type rpmverifyfile_object
group ownership of all files matches local rpm database passed because these items were not found:Object oval:ssg-object_files_fail_group_ownership:obj:1 of type rpmverifyfile_object
|
Verify File Hashes with RPM
Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:10 | ||||||||||||||||
Severity | high | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27157-7 References: RHEL-07-010020, SV-86479r2_rule, CM-6(d), CM-6(3), SI-7(1), CCI-000663, Req-11.5, 1.2.6, SRG-OS-000480-GPOS-00227, 5.10.4.1, 3.3.8, 3.4.1 | ||||||||||||||||
Description | Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va | grep '^..5'A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAMEThe package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME | ||||||||||||||||
Rationale | The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | ||||||||||||||||
OVAL details verify file md5 hashes passed because these items were not found:Object oval:ssg-object_files_fail_md5_hash:obj:1 of type rpmverifyfile_object
|
Install McAfee Virus Scanning Software
Rule ID | xccdf_org.ssgproject.content_rule_install_mcafee_antivirus | ||
Result | fail | ||
Time | 2018-04-30T11:14:10 | ||
Severity | high | ||
Identifiers and References | Identifiers: CCE-80127-4 References: RHEL-07-032000, SV-86837r1_rule, SC-28, SI-3, SI-3(1)(ii), CCI-000366, CCI-001239, CCI-001668, SRG-OS-000480-GPOS-00227 | ||
Description | Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. | ||
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | ||
Warnings | warning
Due to McAfee HIPS being 3rd party software, automated
remediation is not available for this configuration check. | ||
OVAL details AntiVirus package is installed failed because these items were missing:Object oval:ssg-obj_linuxshield_install_antivirus:obj:1 of type rpminfo_object
|
Virus Scanning Software Definitions Are Updated
Rule ID | xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated |
Result | notchecked |
Time | 2018-04-30T11:14:10 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80129-0 References: RHEL-07-032010, SV-86839r1_rule, SC-28, SI-3, SI-3(1)(ii), CCI-000366, CCI-001239, CCI-001668, SRG-OS-000480-GPOS-00227 |
Description | Ensure virus definition files are no older than 7 days or their last release. |
Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
Enable FIPS Mode in GRUB2
Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | ||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||
Time | 2018-04-30T11:14:10 | ||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80359-3 References: RHEL-07-021350, SV-86691r2_rule, AC-17(2), CCI-000068, CCI-002450, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, 5.10.1.2, 3.13.8, 3.13.11 | ||||||||||||||||||||||
Description |
To ensure FIPS mode is enabled, rebuild dracut -fAfter the dracut command has been run, add the argument fips=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub , in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -ocommand as follows:
| ||||||||||||||||||||||
Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | ||||||||||||||||||||||
Warnings | warning
Running dracut -fwill overwrite the existing initramfs file. warning
The system needs to be rebooted for these changes to take effect. warning
The ability to enable FIPS does not denote FIPS compliancy or certification.
Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community
projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy.
Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible.
See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors. | ||||||||||||||||||||||
OVAL details check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX passed because of these items:
check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub passed because these items were not found:Object oval:ssg-object_grub2_default_exists:obj:1 of type textfilecontent54_object
check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT passed because these items were not found:Object oval:ssg-object_grub2_enable_fips_mode_default:obj:1 of type textfilecontent54_object
State oval:ssg-state_grub2_enable_fips_mode:ste:1 of type textfilecontent54_state
check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX passed because of these items:
|
The Installed Operating System Is Vendor Supported and Certified
Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_certified |
Result | pass |
Time | 2018-04-30T11:14:10 |
Severity | high |
Identifiers and References | Identifiers: CCE-80349-4 References: RHEL-07-020250, SV-86621r2_rule, SI-2(c), CCI-000366, SRG-OS-000480-GPOS-00227 |
Description | The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. |
Rationale | An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. |
Disable GDM Automatic Login
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:10 | ||||||
Severity | high | ||||||
Identifiers and References | Identifiers: CCE-80104-3 References: RHEL-07-010440, SV-86577r1_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 3.1.1 | ||||||
Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the [daemon] AutomaticLoginEnable=false | ||||||
Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. | ||||||
OVAL details Disable GDM Automatic Login passed because these items were not found:Object oval:ssg-obj_disable_automatic_login:obj:1 of type textfilecontent54_object
|
Disable GDM Guest Login
Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:10 | ||||||
Severity | high | ||||||
Identifiers and References | Identifiers: CCE-80105-0 References: RHEL-07-010450, SV-86579r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 3.1.1 | ||||||
Description | The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the [daemon] TimedLoginEnable=false | ||||||
Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. | ||||||
OVAL details Disable GDM Guest Login passed because these items were not found:Object oval:ssg-obj_disable_guest_login:obj:1 of type textfilecontent54_object
|
Enable the GNOME3 Login Smartcard Authentication
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80108-4 References: CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, CCI-001954, Req-8.3, SRG-OS-000375-GPOS-00160, RHEL-07-010061 | ||||||||||||||||
Description | In the default graphical environment, smart card authentication
can be enabled on the login screen by setting [org/gnome/login-screen] enable-smartcard-authentication=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/enable-smartcard-authenticationAfter the settings have been set, run dconf update .
| ||||||||||||||||
Rationale | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. | ||||||||||||||||
OVAL details Enable GUI Login Smartcard authentication passed because these items were not found:Object oval:ssg-obj_enable_gnome_smartcard:obj:1 of type textfilecontent54_object
GUI smartcard authentication cannot be disabled passed because these items were not found:Object oval:ssg-obj_prevent_user_disable_smartcard:obj:1 of type textfilecontent54_object
|
Set GNOME3 Screensaver Inactivity Timeout
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay | ||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80110-0 References: RHEL-07-010070, SV-86517r2_rule, AC-11(a), CCI-000057, Req-8.1.8, SRG-OS-000029-GPOS-00010, 5.5.5, 3.1.10 | ||||||||||||||||||||||||||
Description |
The idle time-out value for inactivity in the GNOME3 desktop is configured via the [org/gnome/desktop/session] idle-delay='uint32 900'Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update .
| ||||||||||||||||||||||||||
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. | ||||||||||||||||||||||||||
OVAL details screensaver idle delay is configured passed because these items were not found:Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type textfilecontent54_object
user cannot change screensaver idle delay passed because these items were not found:Object oval:ssg-obj_prevent_user_change_idle_delay:obj:1 of type textfilecontent54_object
screensaver idle delay setting is correct passed because these items were not found:Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type textfilecontent54_object
State oval:ssg-state_screensaver_idle_delay_setting:ste:1 of type textfilecontent54_state
|
Enable GNOME3 Screensaver Idle Activation
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80111-8 References: RHEL-07-010100, SV-86523r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, Req-8.1.8, 5.5.5, 3.1.10 | ||||||||||||||||
Description |
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set [org/gnome/desktop/screensaver] idle_activation_enabled=trueOnce the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update .
| ||||||||||||||||
Rationale |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
| ||||||||||||||||
OVAL details idle delay is configured passed because these items were not found:Object oval:ssg-obj_screensaver_idle_activation_enabled:obj:1 of type textfilecontent54_object
user cannot change idle_activation_enabled passed because these items were not found:Object oval:ssg-obj_prevent_user_change_idle_activation_enabled:obj:1 of type textfilecontent54_object
|
Enable GNOME3 Screensaver Lock After Idle Period
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80112-6 References: RHEL-07-010060, SV-86515r2_rule, AC-11(b), CCI-000056, Req-8.1.8, SRG-OS-000028-GPOS-00009, OS-SRG-000030-GPOS-00011, 5.5.5, 3.1.10 | ||||||||||||||||
Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set [org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update .
| ||||||||||||||||
Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | ||||||||||||||||
OVAL details screensaver lock is enabled passed because these items were not found:Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type textfilecontent54_object
screensaver lock cannot be changed by user passed because these items were not found:Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type textfilecontent54_object
|
Set GNOME3 Screensaver Lock Delay After Activation Period
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay | ||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80370-0 References: RHEL-07-010110, SV-86525r1_rule, AC-11(a), CCI-000056, Req-8.1.8, OS-SRG-000029-GPOS-00010, 3.1.10 | ||||||||||||||||||||||||||
Description |
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set [org/gnome/desktop/screensaver] lock-delay=uint32 5Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update .
| ||||||||||||||||||||||||||
Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | ||||||||||||||||||||||||||
OVAL details screensaver lock is set correctly passed because these items were not found:Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type textfilecontent54_object
screensaver lock delay cannot be changed by user passed because these items were not found:Object oval:ssg-obj_prevent_user_lock_delay:obj:1 of type textfilecontent54_object
screensaver lock delay setting is correct passed because these items were not found:Object oval:ssg-obj_screensaver_lock_delay_setting:obj:1 of type textfilecontent54_object
State oval:ssg-state_screensaver_lock_delay_setting:ste:1 of type textfilecontent54_state
|
Ensure Users Cannot Change GNOME3 Screensaver Settings
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:11 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80371-8 References: RHEL-07-010081, SV-87807r2_rule, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10 | ||||||||
Description |
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update .
| ||||||||
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. | ||||||||
OVAL details screensaver lock delay cannot be changed by user passed because these items were not found:Object oval:ssg-obj_user_change_lock_delay_lock:obj:1 of type textfilecontent54_object
|
Ensure Users Cannot Change GNOME3 Session Idle Settings
Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:11 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80544-0 References: RHEL-07-010082, SV-87809r2_rule, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10 | ||||||||
Description |
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update .
| ||||||||
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. | ||||||||
OVAL details user cannot change screensaver idle delay passed because these items were not found:Object oval:ssg-obj_user_change_idle_delay_lock:obj:1 of type textfilecontent54_object
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-80351-0 References: RHEL-07-010340, SV-86571r1_rule, IA-11, CCI-002038, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | ||||||||||||||
Description |
The sudo | ||||||||||||||
Rationale |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
| ||||||||||||||
OVAL details NOPASSWD does not exist /etc/sudoers passed because these items were not found:Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
NOPASSWD does not exist in /etc/sudoers.d passed because these items were not found:Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-80350-2 References: RHEL-07-010350, SV-86573r2_rule, IA-11, CCI-002038, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | ||||||||||||||
Description |
The sudo | ||||||||||||||
Rationale |
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
| ||||||||||||||
OVAL details !authenticate does not exist in /etc/sudoers passed because these items were not found:Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
!authenticate does not exist in /etc/sudoers.d passed because these items were not found:Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
|
Add nosuid Option to Removable Media Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions | ||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80148-0 References: RHEL-07-021010, SV-86667r1_rule, AC-6, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 1.1.19, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||||||
Description | The | ||||||||||||||||||||||||||||||||||
Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. | ||||||||||||||||||||||||||||||||||
OVAL details 'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab passed because these items were not found:Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1 of type textfilecontent54_state
'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration passed because these items were not found:Object oval:ssg-object_nosuid_runtime_cd_dvd_drive:obj:1 of type partition_object
Check if removable partition is configured with 'nosuid' mount option in /etc/fstab passed because these items were not found:Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
'nosuid' mount option used for removable partition in runtime configuration passed because these items were not found:Object oval:ssg-object_nosuid_runtime_not_cd_dvd_drive:obj:1 of type partition_object
|
Add nosuid Option to /home
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid | ||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-81153-9 References: RHEL-07-021000, SV-86665r2_rule, CM-7, MP-2, 1.1.3 | ||||||||||||||||||||||||||||||
Description | The | ||||||||||||||||||||||||||||||
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. | ||||||||||||||||||||||||||||||
OVAL details nosuid on /home passed because of these items:
|
Disable Modprobe Loading of USB Storage Driver
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled | ||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27277-3 References: RHEL-07-020100, SV-86607r1_rule, AC-19(a), AC-19(d), AC-19(e), IA-3, CCI-000366, CCI-000778, CCI-001958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-0016, SRG-OS-000480-GPOS-00227, 3.1.21 | ||||||||||||||||||||||||||||||||||
Description |
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the install usb-storage /bin/trueThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. | ||||||||||||||||||||||||||||||||||
Rationale | USB storage devices such as thumb drives can be used to introduce malicious software. | ||||||||||||||||||||||||||||||||||
OVAL details kernel module usb-storage disabled passed because of these items:
kernel module usb-storage disabled in /etc/modprobe.conf passed because these items were not found:Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type textfilecontent54_object
kernel module usb-storage disabled in /etc/modules-load.d passed because these items were not found:Object oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module usb-storage disabled in /run/modules-load.d passed because these items were not found:Object oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1 of type textfilecontent54_object
kernel module usb-storage disabled in /usr/lib/modules-load.d passed because these items were not found:Object oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1 of type textfilecontent54_object
|
Disable the Automounter
Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:11 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27498-5 References: RHEL-07-020110, SV-86609r1_rule, AC-19(a), AC-19(d), AC-19(e), IA-3, CCI-000366, CCI-000778, CCI-001958, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, 3.4.6, 1.1.22 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl disable autofs.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details systemd test passed because of these items:
systemd test passed because of these items:
Test that the autofs service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_autofs:ste:1 of type systemdunitproperty_state
|
Ensure All Files Are Owned by a User
Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:28 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80134-0 References: RHEL-07-020320, SV-86631r1_rule, AC-3(4), AC-6, CM-6(b), CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.11 | ||||||||
Description | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. | ||||||||
Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | ||||||||
OVAL details Check user ids on all files on the system passed because these items were not found:Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object
|
Ensure All World-Writable Directories Are Owned by a System Account
Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned | ||||||||||||
Result | pass | ||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | Identifiers: CCE-80136-5 References: RHEL-07-021030, SV-86671r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||
Description | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | ||||||||||||
Rationale | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | ||||||||||||
OVAL details check for local directories that are world writable and have uid greater than or equal to 1000 passed because these items were not found:Object oval:ssg-all_local_directories:obj:1 of type file_object
State oval:ssg-state_gid_is_user_and_world_writable:ste:1 of type file_state
|
Enable Randomized Layout of Virtual Address Space
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
Result | pass |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-27127-0 References: SC-30(2), 1.5.1, 3.1.7, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040201 |
Description |
To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2If this is not the system's default value, add the following line to /etc/sysctl.conf :
kernel.randomize_va_space = 2 |
Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. |
Ensure SELinux State is Enforcing
Rule ID | xccdf_org.ssgproject.content_rule_selinux_state | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | high | ||||
Identifiers and References | Identifiers: CCE-27334-2 References: RHEL-07-020210, SV-86613r2_rule, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-002165, CCI-002696, 1.6.1.2, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2 | ||||
Description | The SELinux state should be set to SELINUX=enforcing | ||||
Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | ||||
OVAL details /selinux/enforce is 1 passed because of these items:
|
Configure SELinux Policy
Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | high | ||||
Identifiers and References | Identifiers: CCE-27279-9 References: RHEL-07-020220, SV-86615r2_rule, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-002696, 1.6.1.3, SRG-OS-000445-GPOS-00199, 3.1.2, 3.7.2 | ||||
Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
| ||||
Rationale |
Setting the SELinux policy to | ||||
OVAL details Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file passed because of these items:
|
Ensure No Device Files are Unlabeled by SELinux
Rule ID | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled | ||||||||||
Result | pass | ||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||
Severity | medium | ||||||||||
Identifiers and References | Identifiers: CCE-27326-8 References: RHEL-07-020900, SV-86663r1_rule, AC-6, AU-9, CM-3(f), CM-7, CCI-000022, CCI-000032, CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227, 3.1.2, 3.1.5, 3.7.2 | ||||||||||
Description | Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files do not carry the SELinux type $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system. | ||||||||||
Rationale |
If a device file carries the SELinux type | ||||||||||
OVAL details device_t in /dev passed because these items were not found:Object oval:ssg-object_selinux_all_devicefiles_labeled:obj:1 of type selinuxsecuritycontext_object
State oval:ssg-state_selinux_all_devicefiles_labeled:ste:1 of type selinuxsecuritycontext_state
|
Map System Users To The Appropriate SELinux Role
Rule ID | xccdf_org.ssgproject.content_rule_selinux_user_login_roles |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80543-2 References: CCI-002235, SRG-OS-000324-GPOS-00125, RHEL-07-020020, SV-86595r1_rule |
Description |
Configure the operating system to prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures. All administrators must be
mapped to the $ sudo semanage login -m -s sysadm_u USERor $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the user_u role or the appropriate domain
(user_t).
$ sudo semanage login -m -s user_u USER |
Rationale |
Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
|
Verify Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:48 | ||||||
Severity | high | ||||||
Identifiers and References | Identifiers: CCE-27175-9 References: RHEL-07-020310, SV-86629r1_rule, AC-6, IA-2(1), IA-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.1, 3.1.5, 6.2.5 | ||||||
Description |
If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or
have their UID changed.
| ||||||
Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | ||||||
OVAL details test that there are no accounts with UID 0 except root in the /etc/passwd file passed because these items were not found:Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
|
Prevent Log In to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:48 | ||||||
Severity | high | ||||||
Identifiers and References | Identifiers: CCE-27286-4 References: RHEL-07-010290, SV-86561r1_rule, AC-6, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000366, SRG-OS-000480-GPOS-00227, Req-8.2.3, 5.5.2, 3.1.1, 3.1.5 | ||||||
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the | ||||||
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | ||||||
OVAL details make sure nullok is not used in /etc/pam.d/system-auth passed because these items were not found:Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
|
All GIDs referenced in /etc/passwd must be defined in /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_gid_passwd_group_same | ||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27503-2 References: RHEL-07-020300, SV-86627r1_rule, IA-2, CCI-000764, SRG-OS-000104-GPOS-00051, Req-8.5.a, 5.5.2 | ||||||||||||||||||||||||||||||||||||||||||
Description | Add a group to the system for each GID referenced without a corresponding group. | ||||||||||||||||||||||||||||||||||||||||||
Rationale | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. | ||||||||||||||||||||||||||||||||||||||||||
OVAL details Verify all GIDs referenced in /etc/passwd are defined in /etc/group passed because of these items:
|
Set Password Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27002-5 References: RHEL-07-010230, SV-86549r1_rule, IA-5(f), IA-5(1)(d), CCI-000198, SRG-OS-000075-GPOS-00043, 3.5.8, 5.6.2.1.1 | ||||
Description | To specify password minimum age for new accounts,
edit the file PASS_MIN_DAYS 1A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 1 .
| ||||
Rationale |
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat
the password reuse or history enforcement requirement. If users are allowed to immediately
and continually change their password, then the password could be repeatedly changed in a
short period of time to defeat the organization's policy regarding password reuse.
| ||||
OVAL details The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs passed because of these items:
|
Set Password Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27051-2 References: RHEL-07-010250, SV-86553r1_rule, IA-5(f), IA-5(g), IA-5(1)(d), CCI-000199, SRG-OS-000076-GPOS-00044, Req-8.2.4, 5.4.1.1, 5.6.2.1, 3.5.6 | ||||
Description | To specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS 60A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 60 .
| ||||
Rationale |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
| ||||
OVAL details The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs passed because of these items:
|
Set Existing Passwords Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80521-8 References: CCI-000198, SRG-OS-000075-GPOS-00043, RHEL-07-010240, SV-86551r1_rule |
Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER |
Rationale | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. |
Set Existing Passwords Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80522-6 References: CCI-000199, SRG-OS-000076-GPOS-00044, RHEL-07-010260, SV-86555r1_rule |
Description | Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER |
Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. |
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27355-7 References: RHEL-07-010310, SV-86565r1_rule, AC-2(2), AC-2(3), IA-4(e), CCI-000795, SRG-OS-000118-GPOS-00060, Req-8.1.4, 3.5.6, 5.6.2.1.1 | ||||
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in INACTIVE=0A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
| ||||
Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. | ||||
OVAL details the value INACTIVE parameter should be set appropriately in /etc/default/useradd passed because of these items:
|
Set Password Retry Prompts Permitted Per-Session
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry | ||||||||||||
Result | pass | ||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | Identifiers: CCE-27160-1 References: RHEL-07-010119, SV-87811r2_rule, CM-6(b), IA-5(c), CCI-000366, 6.3.2, SRG-OS-000480-GPOS-00225, 5.5.3 | ||||||||||||
Description | To configure the number of retry prompts that are permitted per-session:
| ||||||||||||
Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | ||||||||||||
OVAL details check the configuration of /etc/pam.d/system-auth passed because these items were not found:Object oval:ssg-obj_password_pam_cracklib_retry:obj:1 of type textfilecontent54_object
State oval:ssg-state_password_pam_retry:ste:1 of type textfilecontent54_state
check the configuration of /etc/pam.d/system-auth passed because of these items:
|
Set Password Maximum Consecutive Repeating Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27333-4 References: RHEL-07-010180, SV-86539r1_rule, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password to Maximum of Consecutive Repeating Characters from Same Character Class
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27512-3 References: RHEL-07-010190, SV-86541r1_rule, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required to comrpomise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Strength Minimum Digit Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27214-6 References: RHEL-07-010140, SV-86531r2_rule, IA-5(1)(a), IA-5(b), IA-5(c), 194, CCI-000194, SRG-OS-000071-GPOS-00039, Req-8.2.3, 6.3.2 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Minimum Length
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27293-0 References: RHEL-07-010280, SV-86559r1_rule, IA-5(1)(a), CCI-000205, SRG-OS-000078-GPOS-00046, Req-8.2.3, 6.3.2, 5.6.2.1.1 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Strength Minimum Uppercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27200-5 References: RHEL-07-010120, SV-86527r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000192, SRG-OS-000069-GPOS-00037, Req-8.2.3, 6.3.2 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Strength Minimum Special Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27360-7 References: RHEL-07-010150, SV-86533r1_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-001619, SRG-OS-000266-GPOS-00101 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Strength Minimum Lowercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27345-8 References: RHEL-07-010130, SV-86529r2_rule, IA-5(b), IA-5(c), IA-5(1)(a), CCI-000193, SRG-OS-000070-GPOS-00038, Req-8.2.3 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Strength Minimum Different Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-26631-2 References: RHEL-07-010160, SV-86535r1_rule, IA-5(b), IA-5(c), IA-5(1)(b), CCI-000195, SRG-OS-000072-GPOS-00040, 5.6.2.1.1 | ||||
Description | The pam_pwquality module's | ||||
Rationale |
Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Password Strength Minimum Different Categories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27115-5 References: RHEL-07-010170, SV-86537r1_rule, IA-5, CCI-000195, SRG-OS-000072-GPOS-00040 | ||||
Description | The pam_pwquality module's * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry to require 4
differing categories of characters when changing passwords.
| ||||
Rationale |
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
| ||||
OVAL details check the configuration of /etc/security/pwquality.conf passed because of these items:
|
Set Deny For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | ||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27350-8 References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.6, 5.3.2, 5.5.3, 3.1.8 | ||||||||||||||||||||||||||||||||||||||||
Description |
To configure the system to lock out accounts after a number of incorrect login
attempts using
| ||||||||||||||||||||||||||||||||||||||||
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. | ||||||||||||||||||||||||||||||||||||||||
OVAL details Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix. passed because of these items:
Check if pam_faillock.so is called in account phase before pam_unix passed because of these items:
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix passed because of these items:
Check if pam_faillock_so is called in account phase before pam_unix. passed because of these items:
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value passed because these items were not found:Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail passed because of these items:
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value passed because these items were not found:Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct. passed because of these items:
|
Set Lockout Time For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-26884-7 References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, Req-8.1.7, 5.3.2, 5.5.3, 3.1.8 | ||||||||||||||||
Description |
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using
| ||||||||||||||||
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. | ||||||||||||||||
OVAL details check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth passed because of these items:
check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth passed because of these items:
check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth passed because of these items:
check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth passed because of these items:
|
Configure the root Account for Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80353-6 References: RHEL-07-010330, SV-86569r1_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||||||||||||||
Description |
To configure the system to lock out the
| ||||||||||||||||
Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||||||||||||||
OVAL details Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth passed because of these items:
Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail) passed because of these items:
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth passed because of these items:
Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail) passed because of these items:
|
Set Interval For Counting Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27297-1 References: RHEL-07-010320, SV-86567r2_rule, AC-7(b), CCI-002238, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||||||||||||||
Description |
Utilizing
| ||||||||||||||||
Rationale | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||||||||||||||
OVAL details check maximum preauth fail_interval allowed in /etc/pam.d/system-auth passed because of these items:
check maximum authfail fail_interval allowed in /etc/pam.d/system-auth passed because of these items:
check maximum authfail fail_interval allowed in /etc/pam.d/password-auth passed because of these items:
check maximum preauth fail_interval allowed in /etc/pam.d/password-auth passed because of these items:
|
Limit Password Reuse
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember | ||||||||||||
Result | pass | ||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | Identifiers: CCE-26923-3 References: RHEL-07-010270, SV-86557r1_rule, IA-5(f), IA-5(1)(e), CCI-000200, SRG-OS-000077-GPOS-00045, Req-8.2.5, 5.3.3, 5.6.2.1.1, 3.5.8 | ||||||||||||
Description | Do not allow users to reuse recent passwords. This can be
accomplished by using the
| ||||||||||||
Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | ||||||||||||
OVAL details Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth passed because of these items:
Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth passed because these items were not found:Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state
|
Set PAM's Password Hashing Algorithm
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27104-9 References: RHEL-07-010200, SV-86543r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11 | ||||
Description |
The PAM system service can be configured to only store encrypted representations of passwords.
In password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. | ||||
Rationale |
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they
are kepy in plain text.
| ||||
OVAL details check /etc/pam.d/system-auth for correct settings passed because of these items:
|
Set Password Hashing Algorithm in /etc/login.defs
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27124-7 References: RHEL-07-010210, SV-86545r1_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 6.3.1, 5.6.2.2, 3.13.11 | ||||
Description |
In ENCRYPT_METHOD SHA512 | ||||
Rationale |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
| ||||
OVAL details The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs passed because of these items:
|
Set Password Hashing Algorithm in /etc/libuser.conf
Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27053-8 References: RHEL-07-010220, SV-86547r2_rule, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, CCI-000196, SRG-OS-000073-GPOS-00041, Req-8.2.1, 5.6.2.2, 3.13.11 | ||||
Description |
In crypt_style = sha512 | ||||
Rationale |
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they
are kepy in plain text.
| ||||
OVAL details The password hashing algorithm should be set correctly in /etc/libuser.conf passed because of these items:
|
Set Last Logon/Access Notification
Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | low | ||||
Identifiers and References | Identifiers: CCE-27275-7 References: RHEL-07-040530, SV-86899r1_rule, AC-9, CCI-000366, Req-10.2.4, SRG-OS-000480-GPOS-00227, 5.5.2 | ||||
Description | To configure the system to notify users of last logon/access
using session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed | ||||
Rationale | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. | ||||
OVAL details Check the pam_lastlog configuration of /etc/pam.d/postlogin passed because of these items:
|
Ensure the Default Umask is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | low | ||||
Identifiers and References | Identifiers: CCE-80205-8 References: RHEL-07-020240, SV-86619r1_rule, CM-6(b), SA-8, CCI-000366, SRG-OS-000480-GPOS-00228 | ||||
Description |
To ensure the default umask controlled by UMASK 077 | ||||
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. | ||||
OVAL details Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement passed because of these items:
|
Ensure the Default Umask is Set Correctly For Interactive Users
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80536-6 References: CCI-001814, SRG-OS-000480-GPOS-00227, RHEL-07-021040, SV-86673r1_rule |
Description |
Remove the |
Rationale | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. |
Ensure Home Directories are Created for New Users
Rule ID | xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80434-4 References: RHEL-07-020610, SV-86637r1_rule, SRG-OS-000480-GPOS-00227 | ||||
Description |
All local interactive user accounts, upon creation, should be assigned a home directory.
CREATE_HOME yes | ||||
Rationale | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. | ||||
OVAL details Check value of CREATE_HOME in /etc/login.defs passed because of these items:
|
Set Interactive Session Timeout
Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-27557-8 References: RHEL-07-040160, SV-86847r2_rule, AC-12, SC-10, CCI-001133, CCI-000361, SRG-OS-000163-GPOS-00072, 3.1.11 | ||||||||||||||
Description |
Setting the TMOUT=600 | ||||||||||||||
Rationale | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. | ||||||||||||||
OVAL details TMOUT in /etc/profile passed because of these items:
TMOUT in /etc/profile.d/*.sh passed because these items were not found:Object oval:ssg-object_etc_profiled_tmout:obj:1 of type textfilecontent54_object
State oval:ssg-state_etc_profile_tmout:ste:1 of type textfilecontent54_state
|
Limit the Number of Concurrent Login Sessions Allowed Per User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions | ||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27081-9 References: RHEL-07-040000, SV-86841r1_rule, AC-10, CCI-000054, SRG-OS-000027-GPOS-00008, 5.5.2.2 | ||||||||||||||||||||||
Description |
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in * hard maxlogins 10 | ||||||||||||||||||||||
Rationale | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. | ||||||||||||||||||||||
OVAL details the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf passed because these items were not found:Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type textfilecontent54_object
State oval:ssg-state_maxlogins:ste:1 of type textfilecontent54_state
the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf passed because these items were not found:Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type textfilecontent54_object
the value maxlogins should be set appropriately in /etc/security/limits.conf passed because of these items:
|
Ensure the Logon Failure Delay is Set Correctly in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:48 | ||||
Severity | low | ||||
Identifiers and References | Identifiers: CCE-80352-8 References: RHEL-07-010430, SV-86575r1_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00226 | ||||
Description |
To ensure the logon failure delay controlled by FAIL_DELAY 4 | ||||
Rationale | Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. | ||||
OVAL details check FAIL_DELAY in /etc/login.defs passed because of these items:
|
User Initialization Files Must Not Run World-Writable Programs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80523-4 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020730, SV-86661r1_rule |
Description | Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod 0755 FILE |
Rationale | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. |
Ensure that Users Path Contains Only Local Directories
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80524-2 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020720, SV-86659r2_rule |
Description | Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. |
Rationale | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). |
User Initialization Files Must Be Group-Owned By The Primary User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80526-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020700, SV-86655r2_rule |
Description | Change the group owner of interactive users files to the group found in /etc/passwdfor the user. To change the group owner of a local interactive user home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER/.INIT_FILE |
Rationale | Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. |
User Initialization Files Must Be Owned By the Primary User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80527-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020690, SV-86653r1_rule |
Description | Set the owner of the user initialization files for interactive users to the primary owner with the following command: $ sudo chown USER /home/USER/.* |
Rationale | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. |
All Interactive Users Must Have A Home Directory Defined
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80528-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020600, SV-86635r1_rule |
Description | Assign home directories to all interactive users that currently do not have a home directory assigned. |
Rationale | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. |
All Interactive Users Home Directories Must Exist
Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80529-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020620, SV-86639r1_rule |
Description |
Create home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in $ sudo mkdir /home/USER |
Rationale | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. |
All Interactive User Home Directories Must Be Owned By The Primary User
Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_home_directories |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80531-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020640, SV-86643r2_rule |
Description | Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: $ sudo chown USER /home/USER |
Rationale | If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files. |
All Interactive User Home Directories Must Be Group-Owned By The Primary User
Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80532-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020650, SV-86645r2_rule |
Description |
Change the group owner of interactive users home directory to the
group found in $ sudo chgrp USER_GROUP /home/USER |
Rationale | If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. |
All User Files and Directories In The Home Directory Must Be Owned By The Primary User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80533-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020660, SV-86647r1_rule |
Description | Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command: $ sudo chown -R USER /home/USER |
Rationale | If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. |
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80534-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-020670, SV-86649r1_rule |
Description | Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIR |
Rationale | If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. |
Set Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_password | ||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27309-4 References: RHEL-07-010480, SV-86585r1_rule, IA-2(1), IA-5(e), AC-3, CCI-000213, SRG-OS-000080-GPOS-00048, 1.4.2, 3.4.5 | ||||||||||||||||||||||||
Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file
immediately after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
| ||||||||||||||||||||||||
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | ||||||||||||||||||||||||
Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
| ||||||||||||||||||||||||
OVAL details /boot/grub2/grub.cfg does not exist failed because of these items:
make sure a password is defined in /boot/grub2/grub.cfg failed because these items were missing:Object oval:ssg-object_bootloader_password:obj:1 of type textfilecontent54_object
superuser is defined in /boot/grub2/grub.cfg files. Superuser is not root, admin, or administrator failed because these items were missing:Object oval:ssg-object_bootloader_superuser:obj:1 of type textfilecontent54_object
|
Set the UEFI Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_uefi_password | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:14:48 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-80354-4 References: RHEL-07-010490, SV-86587r1_rule, AC-3, CCI-000213, SRG-OS-000080-GPOS-00048, 3.4.5, 1.4.2 | ||||||||||||||
Description | The UEFI grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-mkpasswd-pbkdf2When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately
after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-account password-hashNOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
| ||||||||||||||
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | ||||||||||||||
Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
| ||||||||||||||
OVAL details /boot/efi/EFI/redhat/grub.cfg does not exist passed because these items were not found:Object oval:ssg-object_bootloader_uefi_grub_cfg:obj:1 of type file_object
make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg passed because these items were not found:Object oval:ssg-object_bootloader_uefi_password:obj:1 of type textfilecontent54_object
superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator passed because these items were not found:Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object
|
Boat Loader Is Not Installed On Removeable Media
Rule ID | xccdf_org.ssgproject.content_rule_bootloader_no_removeable_media |
Result | notchecked |
Time | 2018-04-30T11:14:48 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80517-6 References: CCI-001814, SRG-OS-000364-GPOS-00151, RHEL-07-021700, SV-86699r1_rule |
Description |
The system must not allow removable media to be used as the boot loader.
Remove alternate methods of booting the system from removable media.
set root='hd0,msdos1' |
Rationale | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. |
Install the screen Package
Rule ID | xccdf_org.ssgproject.content_rule_package_screen_installed | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:49 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27351-6 References: RHEL-07-010090, SV-86521r1_rule, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, 3.1.10 | ||||||||||||||||
Description |
To enable console screen locking, install the $ sudo yum install screenInstruct users to begin new terminal sessions with the following command: $ screenThe console can now be locked with the following key combination: ctrl+a x | ||||||||||||||||
Rationale |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but des not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
| ||||||||||||||||
OVAL details package screen is installed passed because of these items:
|
Install Smart Card Packages For Multifactor Authentication
Rule ID | xccdf_org.ssgproject.content_rule_install_smartcard_packages |
Result | notchecked |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80519-2 References: CCI-001954, SRG-OS-000375-GPOS-00160, RHEL-07-041001, SV-87041r2_rule |
Description | Configure the operating system to implement multifactor authentication by installing the required packages with the following command: $ sudo yum install esc pam_pkcs11 authconfig-gtk |
Rationale |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Configure Smart Card Certificate Status Checking
Rule ID | xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking |
Result | notchecked |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80520-0 References: CCI-001954, SRG-OS-000375-GPOS-00160, RHEL-07-041003, SV-87057r2_rule |
Description |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy = ca, ocsp_on, signature; |
Rationale |
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Enable Smart Card Login
Rule ID | xccdf_org.ssgproject.content_rule_smartcard_auth | ||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||
Time | 2018-04-30T11:14:49 | ||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80207-4 References: RHEL-07-010500, SV-86589r1_rule, IA-2(2), CCI-000765, CCI-000766, CCI-000767, CCI-000768, CCI-000771, CCI-000772, CCI-000884, Req-8.3, SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058 | ||||||||||||||||||||||||
Description | To enable smart card authentication, consult the documentation at: For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: | ||||||||||||||||||||||||
Rationale | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. | ||||||||||||||||||||||||
OVAL details Test ocsp_on in /etc/pam_pkcs11/pkcs11.conf passed because of these items:
Test smartcard authentication is enabled in /etc/pam.d/system-auth file passed because of these items:
Test smartcard authentication is required in /etc/pam.d/system-auth file passed because these items were not found:Object oval:ssg-object_smart_card_required_system_auth:obj:1 of type textfilecontent54_object
Test smartcard authentication is required in /etc/pam.d/smartcard-auth file passed because of these items:
|
Require Authentication for Single User Mode
Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth | ||||||||||||||||||||
Result | pass | ||||||||||||||||||||
Time | 2018-04-30T11:14:49 | ||||||||||||||||||||
Severity | medium | ||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27287-2 References: IA-2(1), AC-3, CCI-000213, 3.1.1, 3.4.5, 1.4.3, SRG-OS-000080-GPOS-00048, RHEL-07-010481 | ||||||||||||||||||||
Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
| ||||||||||||||||||||
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | ||||||||||||||||||||
OVAL details Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode passed because of these items:
Tests that the systemd rescue.service is in the runlevel1.target passed because of these items:
look for runlevel1.target in /etc/systemd/system passed because these items were not found:Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
look for rescue.service in /etc/systemd/system passed because these items were not found:Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
|
Disable Ctrl-Alt-Del Reboot Activation
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:49 | ||||
Severity | high | ||||
Identifiers and References | Identifiers: CCE-27511-5 References: RHEL-07-020230, SV-86617r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.4.5 | ||||
Description |
By default, ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.
| ||||
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. | ||||
Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
with SystemD DOES NOT disable the Ctrl-Alt-Del key sequence
if running in graphical.target mode (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical multi-user.target mode.
| ||||
OVAL details Disable Ctrl-Alt-Del key sequence override exists passed because of these items:
|
Disable Kernel Parameter for Sending ICMP Redirects by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80156-3 References: RHEL-07-040650, SV-86915r2_rule, AC-4, CM-7, SC-5, SC-7, CCI-000366, 3.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80156-3 References: RHEL-07-040660, SV-86917r2_rule, AC-4, CM-7, SC-5(1), CCI-000366, 3.1.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable Kernel Parameter for IP Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80157-1 References: RHEL-07-040740, SV-86933r1_rule, CM-7, SC-5, SC-32, CCI-000366, 3.1.1, SRG-OS-000480-GPOS-00227, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.ip_forward=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.ip_forward = 0 |
Rationale | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. |
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-27434-0 References: RHEL-07-040610, SV-86907r1_rule, AC-4, CM-7, SC-5, CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and
the system is functioning as a router.
|
Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80158-9 References: RHEL-07-040641, SV-87827r2_rule, CM-6(d), CM-7, SC-5, CCI-000366, CCI-001503, CCI-001551, 3.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.all.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
|
Configure Kernel Parameter for Accepting Source-Routed Packets By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80162-1 References: RHEL-07-040620, SV-86909r1_rule, AC-4, CM-7, SC-5, SC-7, CCI-000366, CCI-001551, SRG-OS-000480-GPOS-00227, 3.2.1, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures.
|
Configure Kernel Parameter for Accepting ICMP Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80163-9 References: RHEL-07-040640, SV-86913r2_rule, AC-4, CM-7, SC-5, SC-7, CCI-001551, 3.2.2, SRG-OS-000480-GPOS-00227, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.conf.default.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
|
Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80165-4 References: RHEL-07-040630, SV-86911r1_rule, AC-4, CM-7, SC-5, CCI-000366, SRG-OS-000480-GPOS-00227, 3.2.5, 5.10.1.1, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv4.icmp_echo_ignore_broadcasts = 1 |
Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
|
Deactivate Wireless Network Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:49 | ||||||
Severity | low | ||||||
Identifiers and References | Identifiers: CCE-27358-1 References: AC-17(8), AC-18(a), AC-18(d), AC-18(3), CM-7, CCI-000085, CCI-002418, 4.3.1, 3.1.16, SRG-OS-000424-GPOS-00188, RHEL-07-041010, SV-87829r1_rule | ||||||
Description |
Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
$ sudo nmcli radio wifi off | ||||||
Rationale | The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. | ||||||
OVAL details query /proc/net/wireless passed because these items were not found:Object oval:ssg-object_wireless_disable_interfaces:obj:1 of type textfilecontent54_object
|
Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
Result | pass |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80179-5 References: RHEL-07-040830, SV-86943r1_rule, AC-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.20 |
Description |
To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0If this is not the system's default value, add the following line to /etc/sysctl.conf :
net.ipv6.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
|
Verify firewalld Enabled
Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:49 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27361-5 References: RHEL-07-040520, SV-86897r1_rule, CM-6(b), CCI-000366, 4.7, SRG-OS-000480-GPOS-00227, 3.1.3, 3.4.7 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description |
The $ sudo systemctl enable firewalld.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Test that the firewalld service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
|
Set Default firewalld Zone for Incoming Packets
Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone | ||||||
Result | fail | ||||||
Time | 2018-04-30T11:14:49 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-27349-0 References: RHEL-07-040810, SV-86939r1_rule, CM-6(b), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227, 5.10.1, 3.1.3, 3.4.7, 3.13.6 | ||||||
Description | To set the default zone to DefaultZone=drop | ||||||
Rationale | In | ||||||
OVAL details Check /etc/firewalld/firewalld.conf DefaultZone for drop failed because these items were missing:Object oval:ssg-obj_firewalld_input_drop:obj:1 of type textfilecontent54_object
|
Configure firewalld To Rate Limit Connections
Rule ID | xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting |
Result | notchecked |
Time | 2018-04-30T11:14:49 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80542-4 References: CCI-002385, SRG-OS-000420-GPOS-00186, RHEL-07-040510, SV-86895r1_rule |
Description | Create a direct firewall rule to protect against DoS attacks with the following command: $ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT |
Rationale |
DoS is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
|
Configure the Firewalld Ports
Rule ID | xccdf_org.ssgproject.content_rule_configure_firewalld_ports |
Result | pass |
Time | 2018-04-30T11:14:50 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80447-6 References: RHEL-07-040100, SV-86843r1_rule, CM-7, CM-7.1(iii), CM-7(b), AC-17(1), CCI-000382, CCI-002314, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115 |
Description | Configure the $ sudo firewall-cmd --permanent --add-port=port_number/tcpor $ sudo firewall-cmd --permanent --add-port=service_nameRun the command list above for each of the ports listed below: To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh
|
Rationale | In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or
restrict unused or unnecessary physical and logical ports/protocols on information systems.
|
Disable DCCP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled | ||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-26828-4 References: CM-7, CCI-001958, 3.5.1, 5.10.1, 3.4.6, RHEL-07-020101 | ||||||||||||||||||||||||||||||||||
Description |
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the install dccp /bin/true | ||||||||||||||||||||||||||||||||||
Rationale | Disabling DCCP protects the system against exploitation of any flaws in its implementation. | ||||||||||||||||||||||||||||||||||
OVAL details kernel module dccp disabled passed because of these items:
kernel module dccp disabled in /etc/modprobe.conf passed because these items were not found:Object oval:ssg-obj_kernmod_dccp_modprobeconf:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /etc/modules-load.d passed because these items were not found:Object oval:ssg-obj_kernmod_dccp_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /run/modules-load.d passed because these items were not found:Object oval:ssg-obj_kernmod_dccp_runmodules-load:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /usr/lib/modules-load.d passed because these items were not found:Object oval:ssg-obj_kernmod_dccp_libmodules-load:obj:1 of type textfilecontent54_object
|
Verify Any Configured IPSec Tunnel Connections
Rule ID | xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels |
Result | notchecked |
Time | 2018-04-30T11:14:50 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80171-2 References: RHEL-07-040820, SV-86941r1_rule, AC-4, CCI-000336, SRG-OS-000480-GPOS-00227 |
Description | Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
( |
Rationale | IP tunneling mechanisms can be used to bypass network filtering. |
Configure Multiple DNS Servers in /etc/resolv.conf
Rule ID | xccdf_org.ssgproject.content_rule_network_configure_name_resolution | ||||||
Result | fail | ||||||
Time | 2018-04-30T11:14:49 | ||||||
Severity | low | ||||||
Identifiers and References | Identifiers: CCE-80438-5 References: RHEL-07-040600, SV-86905r1_rule, SC-22, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||
Description | Multiple Domain Name System (DNS) Servers should be configured
in search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 | ||||||
Rationale | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. | ||||||
OVAL details check if more than one nameserver in /etc/resolv.conf failed because these items were missing:Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object
|
Ensure System is Not Acting as a Network Sniffer
Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:49 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-80174-6 References: RHEL-07-040670, SV-86919r1_rule, CM-7, CM-7(2).1(i), MA-3, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||
Description | The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISC | ||||||
Rationale |
Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
| ||||||
OVAL details check all network interfaces for PROMISC flag passed because these items were not found:Object oval:ssg-object_promisc_interfaces:obj:1 of type interface_object
State oval:ssg-state_promisc:ste:1 of type interface_state
|
Ensure cron Is Logging To Rsyslog
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging | ||||||||||||
Result | pass | ||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | Identifiers: CCE-80380-9 References: RHEL-07-021100, SV-86675r1_rule, AU-2(d), CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||
Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron.* /var/log/cron | ||||||||||||
Rationale | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. | ||||||||||||
OVAL details cron is configured in /etc/rsyslog.conf passed because of these items:
cron is configured in /etc/rsyslog.d passed because these items were not found:Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type textfilecontent54_object
|
Ensure Logs Sent To Remote Host
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost | ||||||||||||
Result | pass | ||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||
Severity | low | ||||||||||||
Identifiers and References | Identifiers: CCE-27343-3 References: RHEL-07-031000, SV-86833r1_rule, AU-3(2), AU-4(1), AU-9, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 4.2.1.4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Description |
To configure rsyslog to send logs to a remote log server,
open *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility. | ||||||||||||
Rationale | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | ||||||||||||
OVAL details Ensures system configured to export logs to remote host passed because of these items:
Ensures system configured to export logs to remote host passed because these items were not found:Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object
|
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_nolisten | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:14:50 | ||||||
Severity | low | ||||||
Identifiers and References | Identifiers: CCE-80192-8 References: RHEL-07-031010, SV-86835r1_rule, AU-9(2), AC-4, CM-6(c), CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227 | ||||||
Description | The $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port | ||||||
Rationale | Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. | ||||||
OVAL details Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun passed because these items were not found:Object oval:ssg-object_rsyslog_nolisten:obj:1 of type textfilecontent54_object
|
Configure auditd space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:50 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27375-5 References: AU-1(b), AU-4, AU-5(1), AU-5(b), IR-5, CCI-001855, Req-10.7, 5.2.1.2, SRG-OS-000343-GPOS-00134, 030340, 5.4.1.1, 3.3.1 | ||||
Description | The space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt .
| ||||
Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | ||||
OVAL details space left action passed because of these items:
|
Configure auditd space_left on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:50 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80537-4 References: AU-1(b), AU-4, AU-5(b), IR-5, CCI-001855, Req-10.7, RHEL-07-030330, SV-86713r1_rule, SRG-OS-000343-GPOS-00134 | ||||
Description | The space_left = SIZE_in_MBSet this value to the appropriate size in Megabytes cause the system to notify the user of an issue. | ||||
Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | ||||
OVAL details admin space left action passed because of these items:
|
Configure auditd mail_acct Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct | ||||
Result | pass | ||||
Time | 2018-04-30T11:14:50 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27394-6 References: RHEL-07-030350, SV-86717r2_rule, AU-1(b), AU-4, AU-5(1), AU-5(a), IR-5, CCI-001855, Req-10.7.a, 5.2.1.2, SRG-OS-000343-GPOS-00134, 5.4.1.1, 3.3.1 | ||||
Description | The action_mail_acct = root | ||||
Rationale | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | ||||
OVAL details email account for actions passed because of these items:
|
Configure audispd's Plugin network_failure_action On Network Failure
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action |
Result | notchecked |
Time | 2018-04-30T11:14:50 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80538-2 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030321, SV-87815r2_rule |
Description |
Configure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file network_failure_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
|
Rationale | Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. |
Configure audispd's Plugin disk_full_action When Disk Is Full
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action |
Result | notchecked |
Time | 2018-04-30T11:14:50 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80539-0 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030320, SV-86711r2_rule |
Description |
Configure the action the operating system takes if the disk the audit records
are written to becomes full. Edit the file disk_full_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
|
Rationale | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
Encrypt Audit Records Sent With audispd Plugin
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records |
Result | notchecked |
Time | 2018-04-30T11:14:50 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80540-8 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030310, SV-86709r1_rule |
Description |
Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes |
Rationale | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. |
Configure audispd Plugin To Send Logs To Remote Server
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server |
Result | notchecked |
Time | 2018-04-30T11:14:50 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80541-6 References: CCI-001851, SRG-OS-000342-GPOS-00133, RHEL-07-030300, SV-86707r1_rule |
Description |
Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the /etc/audisp/audisp-remote.confwith an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing REMOTE_SYSTEM with an IP address or hostname: remote_server = REMOTE_SYSTEM |
Rationale | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. |
Record Events that Modify the System's Discretionary Access Controls - chmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27339-1 References: RHEL-07-030410, SV-86729r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit chmod passed because of these items:
audit augenrules 64-bit chmod passed because of these items:
audit auditctl 32-bit chmod passed because of these items:
audit auditctl 64-bit chmod passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - chown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27364-9 References: RHEL-07-030370, SV-86721r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit chown passed because of these items:
audit augenrules 64-bit chown passed because of these items:
audit auditctl 32-bit chown passed because of these items:
audit auditctl 64-bit chown passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - fchmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27393-8 References: RHEL-07-030420, SV-86731r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit fchmod passed because of these items:
audit augenrules 64-bit fchmod passed because of these items:
audit auditctl 32-bit fchmod passed because of these items:
audit auditctl 64-bit fchmod passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27388-8 References: RHEL-07-030430, SV-86733r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit fchmodat passed because of these items:
audit augenrules 64-bit fchmodat passed because of these items:
audit auditctl 32-bit fchmodat passed because of these items:
audit auditctl 64-bit fchmodat passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - fchown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27356-5 References: RHEL-07-030380, SV-86723r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit fchown passed because of these items:
audit augenrules 64-bit fchown passed because of these items:
audit auditctl 32-bit fchown passed because of these items:
audit auditctl 64-bit fchown passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - fchownat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27387-0 References: RHEL-07-030400, SV-86727r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit fchownat passed because of these items:
audit augenrules 64-bit fchownat passed because of these items:
audit auditctl 32-bit fchownat passed because of these items:
audit auditctl 64-bit fchownat passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27353-2 References: RHEL-07-030480, SV-86743r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit fremovexattr passed because of these items:
audit augenrules 64-bit fremovexattr passed because of these items:
audit auditctl 32-bit fremovexattr passed because of these items:
audit auditctl 64-bit fremovexattr passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27389-6 References: RHEL-07-030450, SV-86737r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit fsetxattr passed because of these items:
audit augenrules 64-bit fsetxattr passed because of these items:
audit auditctl 32-bit fsetxattr passed because of these items:
audit auditctl 64-bit fsetxattr passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - lchown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27083-5 References: RHEL-07-030390, SV-86725r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit lchown passed because of these items:
audit augenrules 64-bit lchown passed because of these items:
audit auditctl 32-bit lchown passed because of these items:
audit auditctl 64-bit lchown passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27410-0 References: RHEL-07-030490, SV-86745r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit lremovexattr passed because of these items:
audit augenrules 64-bit lremovexattr passed because of these items:
audit auditctl 32-bit lremovexattr passed because of these items:
audit auditctl 64-bit lremovexattr passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27280-7 References: RHEL-07-030460, SV-86739r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit lsetxattr passed because of these items:
audit augenrules 64-bit lsetxattr passed because of these items:
audit auditctl 32-bit lsetxattr passed because of these items:
audit auditctl 64-bit lsetxattr passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - removexattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27367-2 References: RHEL-07-030470, SV-86741r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit removexattr passed because of these items:
audit augenrules 64-bit removexattr passed because of these items:
audit auditctl 32-bit removexattr passed because of these items:
audit auditctl 64-bit removexattr passed because of these items:
|
Record Events that Modify the System's Discretionary Access Controls - setxattr
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||
Severity | low | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27213-8 References: RHEL-07-030440, SV-86735r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000172, Req-10.5.5, 5.2.10, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod | ||||||||||||||||
Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||
OVAL details audit augenrules 32-bit setxattr passed because of these items:
audit augenrules 64-bit setxattr passed because of these items:
audit auditctl 32-bit setxattr passed because of these items:
audit auditctl 64-bit setxattr passed because of these items:
|
Record Attempts to Alter Logon and Logout Events - tallylog
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80382-5 References: RHEL-07-030600, SV-86767r2_rule, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, CCI-000126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7 | ||||||||
Description | The audit system already collects login information for all users
and root. If the -w /var/log/tallylog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins | ||||||||
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||
OVAL details audit augenrules tallylog passed because of these items:
audit auditctl tallylog passed because of these items:
|
Record Attempts to Alter Logon and Logout Events - faillock
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80383-3 References: RHEL-07-030610, SV-86769r2_rule, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, CCI-000126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7 | ||||||||
Description | The audit system already collects login information for all users
and root. If the -w /var/run/faillock/ -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock/ -p wa -k logins | ||||||||
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||
OVAL details audit augenrules faillock passed because of these items:
audit auditctl faillock passed because of these items:
|
Record Attempts to Alter Logon and Logout Events - lastlog
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80384-1 References: RHEL-07-030620, SV-86771r2_rule, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, CCI-000126, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, Req-10.2.3, 5.2.8, 3.1.7 | ||||||||
Description | The audit system already collects login information for all users
and root. If the -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins | ||||||||
Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||
OVAL details audit augenrules lastlog passed because of these items:
audit auditctl lastlog passed because of these items:
|
Record Unauthorized Access Attempts to Files (unsuccessful) - creat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80385-8 References: RHEL-07-030500, SV-86747r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eaccess passed because of these items:
audit augenrules 32-bit file eperm passed because of these items:
audit augenrules 64-bit file eaccess passed because of these items:
audit augenrules 64-bit file eperm passed because of these items:
audit auditctl 32-bit file eaccess passed because of these items:
audit auditctl 32-bit file eperm passed because of these items:
audit auditctl 64-bit file eaccess passed because of these items:
audit auditctl 64-bit file eperm passed because of these items:
|
Record Unauthorized Access Attempts to Files (unsuccessful) - open
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80386-6 References: RHEL-07-030510, SV-86749r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eaccess passed because of these items:
audit augenrules 32-bit file eperm passed because of these items:
audit augenrules 64-bit file eaccess passed because of these items:
audit augenrules 64-bit file eperm passed because of these items:
audit auditctl 32-bit file eaccess passed because of these items:
audit auditctl 32-bit file eperm passed because of these items:
audit auditctl 64-bit file eaccess passed because of these items:
audit auditctl 64-bit file eperm passed because of these items:
|
Record Unauthorized Access Attempts to Files (unsuccessful) - openat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80387-4 References: RHEL-07-030520, SV-86751r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eaccess passed because of these items:
audit augenrules 32-bit file eperm passed because of these items:
audit augenrules 64-bit file eaccess passed because of these items:
audit augenrules 64-bit file eperm passed because of these items:
audit auditctl 32-bit file eaccess passed because of these items:
audit auditctl 32-bit file eperm passed because of these items:
audit auditctl 64-bit file eaccess passed because of these items:
audit auditctl 64-bit file eperm passed because of these items:
|
Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80388-2 References: RHEL-07-030530, SV-86753r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eaccess passed because of these items:
audit augenrules 32-bit file eperm passed because of these items:
audit augenrules 64-bit file eaccess passed because of these items:
audit augenrules 64-bit file eperm passed because of these items:
audit auditctl 32-bit file eaccess passed because of these items:
audit auditctl 32-bit file eperm passed because of these items:
audit auditctl 64-bit file eaccess passed because of these items:
audit auditctl 64-bit file eperm passed because of these items:
|
Record Unauthorized Access Attempts to Files (unsuccessful) - truncate
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80389-0 References: RHEL-07-030540, SV-86755r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eaccess passed because of these items:
audit augenrules 32-bit file eperm passed because of these items:
audit augenrules 64-bit file eaccess passed because of these items:
audit augenrules 64-bit file eperm passed because of these items:
audit auditctl 32-bit file eaccess passed because of these items:
audit auditctl 32-bit file eperm passed because of these items:
audit auditctl 64-bit file eaccess passed because of these items:
audit auditctl 64-bit file eperm passed because of these items:
|
Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate | ||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80390-8 References: RHEL-07-030550, SV-86757r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, CCI-002884, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, Req-10.2.4, Req-10.2.1, 5.2.10, 3.1.7 | ||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||||||||||||||||||||||||||||||||
Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||
Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
| ||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eaccess passed because of these items:
audit augenrules 32-bit file eperm passed because of these items:
audit augenrules 64-bit file eaccess passed because of these items:
audit augenrules 64-bit file eperm passed because of these items:
audit auditctl 32-bit file eaccess passed because of these items:
audit auditctl 32-bit file eperm passed because of these items:
audit auditctl 64-bit file eaccess passed because of these items:
audit auditctl 64-bit file eperm passed because of these items:
|
Record Any Attempts to Run semanage
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80391-6 References: RHEL-07-030560, SV-86759r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules semanage passed because of these items:
audit auditctl semanage passed because of these items:
|
Record Any Attempts to Run setsebool
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80392-4 References: RHEL-07-030570, SV-86761r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules setsebool passed because of these items:
audit auditctl setsebool passed because of these items:
|
Record Any Attempts to Run chcon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80393-2 References: RHEL-07-030580, SV-86763r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules chcon passed because of these items:
audit auditctl chcon passed because of these items:
|
Record Any Attempts to Run restorecon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80394-0 References: RHEL-07-030590, SV-86765r3_rule, AU-12(c), CCI-000172, CCI-002884, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules restorecon passed because of these items:
audit auditctl restorecon passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27437-3 References: RHEL-07-030360, SV-86719r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-2(4), AU-6(9), AU-12(a), AU-12(c), IR-5, CCI-002234, SRG-OS-000327-GPOS-00127, Req-10.2.2, 5.2.10, 5.4.1.1, 3.1.7 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/nullIf the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix .rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules for each setuid / setgid program on the
system, replacing the SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules suid sgid failed because of these items:
audit augenrules binaries count matches rules count failed because of these items:
audit auditctl suid sgid failed because of these items:
audit auditctl binaries count matches rules count failed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
|
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80395-7 References: RHEL-07-030630, SV-86773r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules passwd passed because of these items:
audit auditctl passwd passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80396-5 References: RHEL-07-030640, SV-86775r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules unix_chkpwd passed because of these items:
audit auditctl unix_chkpwd passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80397-3 References: RHEL-07-030650, SV-86777r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules gpasswd passed because of these items:
audit auditctl gpasswd passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - chage
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80398-1 References: RHEL-07-030660, SV-86779r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules chage passed because of these items:
audit auditctl chage passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80399-9 References: RHEL-07-030670, SV-86781r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules userhelper passed because of these items:
audit auditctl userhelper passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - su
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80400-5 References: RHEL-07-030680, SV-86783r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules su passed because of these items:
audit auditctl su passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80401-3 References: RHEL-07-030690, SV-86785r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules sudo passed because of these items:
audit auditctl sudo passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80402-1 References: RHEL-07-030730, SV-86793r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules sudoedit passed because of these items:
audit auditctl sudoedit passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80403-9 References: RHEL-07-030710, SV-86789r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules newgrp passed because of these items:
audit auditctl newgrp passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80404-7 References: RHEL-07-030720, SV-86791r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules chsh passed because of these items:
audit auditctl chsh passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - umount
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80405-4 References: RHEL-07-030750, SV-86797r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules umount passed because of these items:
audit auditctl umount passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80406-2 References: RHEL-07-030760, SV-86799r3_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules postdrop passed because of these items:
audit auditctl postdrop passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80407-0 References: RHEL-07-030770, SV-86801r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules postqueue passed because of these items:
audit auditctl postqueue passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80408-8 References: RHEL-07-030780, SV-86803r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules ssh_keysign passed because of these items:
audit auditctl ssh_keysign passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80409-6 References: RHEL-07-030790, SV-86805r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules pt_chown passed because of these items:
audit auditctl pt_chown passed because of these items:
|
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80410-4 References: RHEL-07-030800, SV-86807r2_rule, AU-3(1), AU-12(c), CCI-000135, CCI-000172, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged | ||||||||
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||
OVAL details audit augenrules crontab passed because of these items:
audit auditctl crontab passed because of these items:
|
Ensure auditd Collects File Deletion Events by User - rmdir
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80412-0 References: RHEL-07-030900, SV-86827r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||
OVAL details audit augenrules 32-bit rmdir passed because of these items:
audit augenrules 64-bit rmdir passed because of these items:
audit auditctl 32-bit rmdir passed because of these items:
audit auditctl 64-bit rmdir passed because of these items:
|
Ensure auditd Collects File Deletion Events by User - unlink
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27206-2 References: RHEL-07-030910, SV-86829r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||
OVAL details audit augenrules 32-bit unlink passed because of these items:
audit augenrules 64-bit unlink passed because of these items:
audit auditctl 32-bit unlink passed because of these items:
audit auditctl 64-bit unlink passed because of these items:
|
Ensure auditd Collects File Deletion Events by User - unlinkat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27206-2 References: RHEL-07-030920, SV-86831r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||
OVAL details audit augenrules 32-bit unlinkat passed because of these items:
audit augenrules 64-bit unlinkat passed because of these items:
audit auditctl 32-bit unlinkat passed because of these items:
audit auditctl 64-bit unlinkat passed because of these items:
|
Ensure auditd Collects File Deletion Events by User - rename
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27206-2 References: RHEL-07-030880, SV-86823r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||
OVAL details audit augenrules 32-bit rename passed because of these items:
audit augenrules 64-bit rename passed because of these items:
audit auditctl 32-bit rename passed because of these items:
audit auditctl 64-bit rename passed because of these items:
|
Ensure auditd Collects File Deletion Events by User - renameat
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80413-8 References: RHEL-07-030890, SV-86825r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), CCI-000366, CCI-000172, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.14, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete | ||||||||||||||||
Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||
OVAL details audit augenrules 32-bit renameat passed because of these items:
audit augenrules 64-bit renameat passed because of these items:
audit auditctl 32-bit renameat passed because of these items:
audit auditctl 64-bit renameat passed because of these items:
|
Ensure auditd Collects Information on Kernel Module Loading - init_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80414-6 References: RHEL-07-030820, SV-86811r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||||||
Description | To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules .
| ||||||||||||||||
Rationale | The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||||||
OVAL details audit augenrules 32-bit init_module passed because of these items:
audit augenrules 64-bit init_module passed because of these items:
audit auditctl 32-bit init_module passed because of these items:
audit auditctl 64-bit init_module passed because of these items:
|
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80415-3 References: RHEL-07-030830, SV-86813r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||||||||||
Description | To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules .
| ||||||||||||||||
Rationale | The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||||||||||
OVAL details audit augenrules 32-bit delete_module passed because of these items:
audit augenrules 64-bit delete_module passed because of these items:
audit auditctl 32-bit delete_module passed because of these items:
audit auditctl 64-bit delete_module passed because of these items:
|
Ensure auditd Collects Information on Kernel Module Loading - insmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80446-8 References: RHEL-07-030840, SV-86815r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||
Description | To capture invocation of insmod, utility used to insert modules into kernel, use the following line: -w /usr/sbin/insmod -p x -k modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules .
| ||||||||
Rationale | The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||
OVAL details audit augenrules insmod passed because of these items:
audit auditctl insmod passed because of these items:
|
Ensure auditd Collects Information on Kernel Module Unloading - rmmod
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80416-1 References: RHEL-07-030850, SV-86817r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||
Description | To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: -w /usr/sbin/rmmod -p x -k modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules .
| ||||||||
Rationale | The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||
OVAL details audit augenrules rmmod passed because of these items:
audit auditctl rmmod passed because of these items:
|
Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80417-9 References: RHEL-07-030860, SV-86819r2_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000172, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, Req-10.2.7, 5.2.17, 3.1.7 | ||||||||
Description | To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: -w /usr/sbin/modprobe -p x -k modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules .
| ||||||||
Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | ||||||||
OVAL details audit augenrules modprobe passed because of these items:
audit auditctl modprobe passed because of these items:
|
Shutdown System When Auditing Failures Occur
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80381-7 References: RHEL-07-030010, SV-86705r1_rule, AU-5, AU-5(a), CCI-000139, SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023, 3.3.1, 3.3.4 | ||||||||
Description | If the -f 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
top of the /etc/audit/audit.rules file:
-f 2 | ||||||||
Rationale | It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
| ||||||||
OVAL details audit augenrules configuration shutdown passed because of these items:
audit auditctl configuration shutdown passed because of these items:
|
Record Events that Modify User/Group Information - /etc/group
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80433-6 References: RHEL-07-030871, SV-87817r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||
Description | If the -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification | ||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||
OVAL details audit augenrules group passed because of these items:
audit group passed because of these items:
|
Record Events that Modify User/Group Information - /etc/gshadow
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80432-8 References: RHEL-07-030872, SV-87819r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||
Description | If the -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification | ||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||
OVAL details audit augenrules gshadow passed because of these items:
audit gshadow passed because of these items:
|
Record Events that Modify User/Group Information - /etc/shadow
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80431-0 References: RHEL-07-030873, SV-87823r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||
Description | If the -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification | ||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||
OVAL details audit augenrules shadow passed because of these items:
audit shadow passed because of these items:
|
Record Events that Modify User/Group Information - /etc/passwd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80435-1 References: RHEL-07-030870, SV-86821r3_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221, 5.4.1.1, 3.1.7 | ||||||||
Description | If the -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification | ||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||
OVAL details audit augenrules passwd passed because of these items:
audit passwd passed because of these items:
|
Record Events that Modify User/Group Information - /etc/security/opasswd
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:14:50 | ||||||||
Severity | medium | ||||||||
Identifiers and References | Identifiers: CCE-80430-2 References: RHEL-07-030874, SV-87825r2_rule, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, CCI-000018, CCI-000172, CCI-001403, CCI-002130, Req-10.2.5, 5.2.5, SRG-OS-000004-GPOS-00004, 5.4.1.1, 3.1.7 | ||||||||
Description | If the -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification | ||||||||
Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||
OVAL details audit augenrules opasswd passed because of these items:
audit opasswd passed because of these items:
|
Ensure auditd Collects Information on Exporting to Media (successful)
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:08 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-27447-2 References: RHEL-07-030740, SV-86795r3_rule, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000135, CCI-002884, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, Req-10.2.7, 5.2.13, 5.4.1.1, 3.1.7 | ||||||||||||||||
Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export | ||||||||||||||||
Rationale | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | ||||||||||||||||
OVAL details audit augenrules mount 32-bit passed because of these items:
audit augenrules mount 64-bit passed because of these items:
audit auditctl mount 32-bit passed because of these items:
audit auditctl mount 64-bit passed because of these items:
|
Ensure auditd Collects System Administrator Actions
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions | ||||||||
Result | pass | ||||||||
Time | 2018-04-30T11:15:08 | ||||||||
Severity | low | ||||||||
Identifiers and References | Identifiers: CCE-27461-3 References: RHEL-07-030700, SV-86787r3_rule, AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), iAU-3(1), AU-12(a), AU-12(c), IR-5, CCI-000126, CCI-000130, CCI-000135, CCI-000172, CCI-002884, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, 5.4.1.1, 3.1.7 | ||||||||
Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions | ||||||||
Rationale | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. | ||||||||
OVAL details audit augenrules sudoers passed because of these items:
audit auditctl sudoers passed because of these items:
|
Enable auditd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:14:50 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-27407-6 References: RHEL-07-030000, SV-86703r1_rule, AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, CCI-000126, CCI-000131, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, Req-10, 4.1.2, 5.4.1.1, 3.3.1, 3.3.2, 3.3.6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl enable auditd.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Test that the auditd service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
|
Uninstall telnet-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed | ||
Result | pass | ||
Time | 2018-04-30T11:15:08 | ||
Severity | high | ||
Identifiers and References | Identifiers: CCE-27165-0 References: RHEL-07-021710, SV-86701r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049, 2.1.1 | ||
Description | The $ sudo yum erase telnet-server | ||
Rationale |
It is detrimental for operating systems to provide, or install by default, functionality exceeding
requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore
may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
| ||
OVAL details package telnet-server is removed passed because these items were not found:Object oval:ssg-obj_package_telnet-server_removed:obj:1 of type rpminfo_object
|
Uninstall rsh-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_rsh-server_removed | ||
Result | pass | ||
Time | 2018-04-30T11:15:08 | ||
Severity | high | ||
Identifiers and References | Identifiers: CCE-27342-5 References: RHEL-07-020000, SV-86591r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049 | ||
Description | The $ sudo yum erase rsh-server | ||
Rationale | The | ||
OVAL details package rsh-server is removed passed because these items were not found:Object oval:ssg-obj_package_rsh-server_removed:obj:1 of type rpminfo_object
|
Remove Host-Based Authentication Files
Rule ID | xccdf_org.ssgproject.content_rule_no_host_based_files |
Result | notchecked |
Time | 2018-04-30T11:15:08 |
Severity | high |
Identifiers and References | Identifiers: CCE-80513-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040550, SV-86903r1_rule |
Description |
The $ sudo rm /etc/shosts.equiv |
Rationale | The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. |
Remove User Host-Based Authentication Files
Rule ID | xccdf_org.ssgproject.content_rule_no_user_host_based_files |
Result | notchecked |
Time | 2018-04-30T11:15:08 |
Severity | high |
Identifiers and References | Identifiers: CCE-80514-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040540, SV-86901r1_rule |
Description |
The $ sudo rm ~/.shosts |
Rationale | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false |
Uninstall ypserv Package
Rule ID | xccdf_org.ssgproject.content_rule_package_ypserv_removed | ||
Result | pass | ||
Time | 2018-04-30T11:15:08 | ||
Severity | high | ||
Identifiers and References | Identifiers: CCE-27399-5 References: RHEL-07-020010, SV-86593r1_rule, AC-17(8), CM-7(a), CCI-000381, SRG-OS-000095-GPOS-00049, 2.2.16 | ||
Description | The $ sudo yum erase ypserv | ||
Rationale | The NIS service provides an unencrypted authentication service which does not
provide for the confidentiality and integrity of user passwords or the remote session.
Removing the | ||
OVAL details package ypserv is removed passed because these items were not found:Object oval:ssg-obj_package_ypserv_removed:obj:1 of type rpminfo_object
|
Uninstall tftp-server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed | ||
Result | pass | ||
Time | 2018-04-30T11:15:08 | ||
Severity | high | ||
Identifiers and References | Identifiers: CCE-80213-2 References: RHEL-07-040700, SV-86925r1_rule, AC-17(8), CM-6(c), CM-7, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000480-GPOS-00227 | ||
Description |
The $ sudo yum erase tftp-server | ||
Rationale |
Removing the | ||
OVAL details package tftp-server is removed passed because these items were not found:Object oval:ssg-obj_package_tftp-server_removed:obj:1 of type rpminfo_object
|
Ensure tftp Daemon Uses Secure Mode
Rule ID | xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:15:08 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-80214-0 References: RHEL-07-040720, SV-86929r1_rule, AC-6, AC-17(8), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||
Description | If running the server_args = -s /var/lib/tftpboot | ||||||
Rationale | Using the | ||||||
OVAL details tftpd secure mode passed because these items were not found:Object oval:ssg-object_tftpd_uses_secure_mode:obj:1 of type textfilecontent54_object
|
Disable KDump Kernel Crash Analyzer (kdump)
Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80258-7 References: RHEL-07-021300, SV-86681r1_rule, AC-17(8), CM-7, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl disable kdump.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details systemd test passed because of these items:
systemd test passed because of these items:
Test that the kdump service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_kdump:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_kdump:ste:1 of type systemdunitproperty_state
|
Verify User Who Owns /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_allow | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80378-3 References: RHEL-07-021110, SV-86677r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||
Description |
If $ sudo chown root /etc/cron.allow | ||||
Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. | ||||
OVAL details Testing user ownership of /etc/cron.allow passed because these items were not found:Object oval:ssg-object_file_etc_cron_allow:obj:1 of type file_object
State oval:ssg-state_etc_cron_allow_uid_root:ste:1 of type file_state
|
Verify Group Who Owns /etc/cron.allow file
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80379-1 References: RHEL-07-021120, SV-86679r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||
Description |
If $ sudo chgrp root /etc/cron.allow | ||||
Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. | ||||
OVAL details Testing group ownership /etc/cron.allow passed because these items were not found:Object oval:ssg-object_groupowner_cron_allow_file:obj:1 of type file_object
State oval:ssg-state_groupowner_cron_allow_file:ste:1 of type file_state
|
Allow Only SSH Protocol 2
Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:15:09 | ||||||
Severity | high | ||||||
Identifiers and References | Identifiers: CCE-27320-1 References: RHEL-07-040390, SV-86875r2_rule, AC-17(8).1(ii), IA-5(1)(c), CCI-000197, CCI-000366, 5.2.2, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.13, 3.5.4 | ||||||
Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
Protocol 2 | ||||||
Rationale | SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | ||||||
Warnings | warning
As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line Protocol 2in /etc/ssh/sshd_config is not necessary. | ||||||
OVAL details sshd uses protocol 2 passed because these items were not found:Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type textfilecontent54_object
|
Disable GSSAPI Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80220-7 References: RHEL-07-040430, SV-86883r2_rule, CM-6(c), CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000364-GPOS-00151, 3.1.12 | ||||
Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the GSSAPIAuthentication no | ||||
Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. | ||||
OVAL details tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file passed because of these items:
|
Disable Kerberos Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80221-5 References: RHEL-07-040440, SV-86885r2_rule, CM-6(c), CCI-000368, CCI-000318, CCI-001812, CCI-001813, CCI-001814, SRG-OS-000364-GPOS-00151, 3.1.12 | ||||
Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the KerberosAuthentication no | ||||
Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. | ||||
OVAL details tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file passed because of these items:
|
Enable Use of Strict Mode Checking
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80222-3 References: RHEL-07-040450, SV-86887r2_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | SSHs StrictModes option checks file and ownership permissions in
the user's home directory StrictModes yes | ||||
Rationale | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. | ||||
OVAL details tests the value of StrictModes setting in the /etc/ssh/sshd_config file passed because of these items:
|
Enable Use of Privilege Separation
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_priv_separation | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80223-1 References: RHEL-07-040460, SV-86889r2_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the UsePrivilegeSeparation sandbox | ||||
Rationale | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. | ||||
OVAL details tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file passed because of these items:
|
Disable Compression Or Set Compression to delayed
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_compression | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80224-9 References: RHEL-07-040470, SV-86891r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise
, it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
Compression noor Compression delayed | ||||
Rationale | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. | ||||
OVAL details tests the value of Compression setting in the /etc/ssh/sshd_config file passed because of these items:
|
Print Last Log
Rule ID | xccdf_org.ssgproject.content_rule_sshd_print_last_log | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | low | ||||
Identifiers and References | Identifiers: CCE-80225-6 References: RHEL-07-040360, SV-86869r2_rule, AC-9, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||
Description | When enabled, SSH will display the date and time of the last
successful account logon. To enable LastLog in
SSH, add or correct the following line in the PrintLastLog yes | ||||
Rationale | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. | ||||
OVAL details tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file passed because of these items:
|
Set SSH Idle Timeout Interval
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | low | ||||
Identifiers and References | Identifiers: CCE-27433-2 References: RHEL-07-040320, SV-86861r2_rule, AC-2(5), SA-8(i), AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, Req-8.1.8, 5.2.12, 5.5.6, 3.1.11 | ||||
Description | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
ClientAliveInterval intervalThe timeout interval is given in seconds. To have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. | ||||
Rationale | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | ||||
OVAL details timeout is configured passed because of these items:
|
Set SSH Client Alive Count
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27082-7 References: RHEL-07-040340, SV-86865r2_rule, AC-2(5), SA-8, AC-12, CCI-001133, CCI-002361, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, 5.2.12, 5.5.6, 3.1.11 | ||||
Description | To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax 0 | ||||
Rationale |
This ensures a user login will be terminated as soon as the | ||||
OVAL details Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file passed because of these items:
|
Disable SSH Support for .rhosts Files
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:15:09 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-27377-1 References: RHEL-07-040350, SV-86867r2_rule, AC-3, CM-6(a), CCI-000366, 5.2.6, SRG-OS-000480-GPOS-00227, 5.5.6, 3.1.12 | ||||||
Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via IgnoreRhosts yes | ||||||
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||
OVAL details Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_rsh_emulation_disabled:obj:1 of type textfilecontent54_object
|
Disable SSH Support for User Known Hosts
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80372-6 References: RHEL-07-040380, SV-86873r2_rule, CM-6(a), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||
Description | SSH can allow system users user host-based authentication to connect
to systems if a cache of the remote systems public keys are available.
This should be disabled.
IgnoreUserKnownHosts yes | ||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||
OVAL details Tests the value of the IgnoreUserKnownHosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file passed because of these items:
|
Disable SSH Support for Rhosts RSA Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:15:09 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-80373-4 References: RHEL-07-040330, SV-86863r2_rule, CM-6(a), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.12 | ||||||
Description | SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
RhostsRSAAuthentication no | ||||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||||
Warnings | warning
As of openssh-server version 7.4 and above,
the RhostsRSAAuthentication option has been deprecated, and the line
RhostsRSAAuthentication noin /etc/ssh/sshd_config is not
necessary. | ||||||
OVAL details Tests the value of the RhostsRSAAuthentication[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_disable_rhosts_rsa:obj:1 of type textfilecontent54_object
|
Disable Host-Based Authentication
Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:15:09 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-27413-4 References: RHEL-07-010470, SV-86583r2_rule, AC-3, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.2.7, 5.5.6, 3.1.12 | ||||||
Description | SSH's cryptographic host-based authentication is
more secure than HostbasedAuthentication no | ||||||
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||
OVAL details sshd HostbasedAuthentication passed because these items were not found:Object oval:ssg-object_sshd_hostbasedauthentication:obj:1 of type textfilecontent54_object
|
Enable Encrypted X11 Forwarding
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | high | ||||
Identifiers and References | Identifiers: CCE-80226-4 References: RHEL-07-040710, SV-86927r2_rule, CM-2(1)(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13, 5.2.4 | ||||
Description | By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding yes | ||||
Rationale | Open X displays allow an attacker to capture keystrokes and to execute commands remotely. | ||||
OVAL details tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file passed because of these items:
|
Disable SSH Root Login
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27445-6 References: RHEL-07-040370, SV-86871r2_rule, AC-3, AC-6(2), IA-2(1), IA-2(5), CCI-000366, SRG-OS-000480-GPOS-00227, 5.2.8, 5.5.6, 3.1.1, 3.1.5 | ||||
Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no | ||||
Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | ||||
OVAL details Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file passed because of these items:
|
Disable SSH Access via Empty Passwords
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | high | ||||
Identifiers and References | Identifiers: CCE-27471-2 References: RHEL-07-010300, SV-86563r2_rule, AC-3, AC-6, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.5.6, 3.1.1, 3.1.5, 5.2.9 | ||||
Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. | ||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||
OVAL details Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file passed because of these items:
|
Do Not Allow SSH Environment Options
Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27363-1 References: RHEL-07-010460, SV-86581r2_rule, CM-6(b), CCI-000366, SRG-OS-000480-GPOS-00229, 5.2.10, 5.5.6, 3.1.12 | ||||
Description | To ensure users are not able to override environment
options to the SSH daemon, add or correct the following line
in PermitUserEnvironment no | ||||
Rationale | SSH environment options potentially allow users to bypass access restriction in some configurations. | ||||
OVAL details Check value of PermitUserEnvironment in /etc/ssh/sshd_config passed because of these items:
|
Use Only FIPS 140-2 Validated Ciphers
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-27295-5 References: RHEL-07-040110, SV-86845r2_rule, AC-3, AC-17(2), AU-10(5), CM-6(b), IA-5(1)(c), IA-7, CCI-000068, CCI-000366, CCI-000803, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, 5.2.10, 5.5.6, 3.1.13, 3.13.11, 3.13.8 | ||||
Description | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. | ||||
Rationale |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
| ||||
OVAL details tests the value of Ciphers setting in the /etc/ssh/sshd_config file passed because of these items:
|
Use Only FIPS 140-2 Validated MACs
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_macs | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-27455-5 References: RHEL-07-040400, SV-86877r2_rule, AC-17(2), IA-7, SC-13, CCI-001453, SRG-OS-000250-GPOS-00093, 3.1.13, 3.13.11, 3.13.8, 5.2.12 | ||||||||||||||
Description | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in MACs hmac-sha2-512,hmac-sha2-256 Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. | ||||||||||||||
Rationale | DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | ||||||||||||||
OVAL details tests the value of MACs setting in the /etc/ssh/sshd_config file passed because of these items:
|
Install the OpenSSH Server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed | ||||||||||||||||
Result | pass | ||||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||||
Severity | medium | ||||||||||||||||
Identifiers and References | Identifiers: CCE-80215-7 References: RHEL-07-040300, SV-86857r1_rule, SC-8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190 | ||||||||||||||||
Description |
The $ sudo yum install openssh-server | ||||||||||||||||
Rationale | Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. | ||||||||||||||||
OVAL details package openssh-server is installed passed because of these items:
|
Enable the OpenSSH Service
Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_enabled | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:15:09 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | medium | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80216-5 References: RHEL-07-040310, SV-86859r2_rule, SC-8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS000423-GPOS-00190, 3.1.13, 3.5.4, 3.13.8 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The SSH server service, sshd, is commonly needed.
The $ sudo systemctl enable sshd.service | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale |
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Test that the sshd service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
|
Configure SSSD LDAP Backend Client CA Certificate
Rule ID | xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca |
Result | notchecked |
Time | 2018-04-30T11:15:09 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80516-8 References: CCI-001453, SRG-OS-000250-GPOS-00093, RHEL-07-040200, SV-86855r2_rule |
Description | Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertoption in /etc/sssd/sssd.confto point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacert /path/to/tls/ca.cert |
Rationale |
Without cryptographic integrity protections, information can be altered by
unauthorized users without detection.
|
Configure SSSD LDAP Backend Client CA Certificate Location
Rule ID | xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir |
Result | notchecked |
Time | 2018-04-30T11:15:09 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80515-0 References: CCI-001453, SRG-OS-000250-GPOS-00093, RHEL-07-040190, SV-86853r2_rule |
Description | Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdiroption in /etc/sssd/sssd.confto point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacertdir /path/to/tls/cacert |
Rationale |
Without cryptographic integrity protections, information can be altered by
unauthorized users without detection.
|
Configure PAM in SSSD Services
Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_pam_services | ||||||
Result | fail | ||||||
Time | 2018-04-30T11:15:09 | ||||||
Severity | medium | ||||||
Identifiers and References | Identifiers: CCE-80437-7 References: RHEL-07-041002, SV-87051r2_rule, IA-2(11), CCI-001948, CCI-001953, CCI-001954, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162 | ||||||
Description |
SSSD should be configured to run SSSD [sssd] services = sudo, autofs, pam | ||||||
Rationale | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. | ||||||
OVAL details check if pam is configured in the services setting of the sssd section failed because these items were missing:Object oval:ssg-obj_sssd_enable_pam_services:obj:1 of type textfilecontent54_object
| |||||||
Remediation Shell script: (show)
|
Remove the X Windows Package Group
Rule ID | xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed | ||
Result | pass | ||
Time | 2018-04-30T11:15:09 | ||
Severity | medium | ||
Identifiers and References | Identifiers: CCE-27218-7 References: RHEL-07-040730, SV-86931r2_rule, AC-17(8).1(ii), CCI-000366, 2.2.2, SRG-OS-000480-GPOS-00227 | ||
Description | By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a $ sudo yum groupremove "X Window System" $ sudo yum remove xorg-x11-server-common | ||
Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. | ||
OVAL details package xorg-x11-server-common is removed passed because these items were not found:Object oval:ssg-obj_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
|
Configure Time Service Maxpoll Interval
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll | ||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||||||||||||||||||||||||
Severity | low | ||||||||||||||||||||||||||||||||||||
Identifiers and References | Identifiers: CCE-80439-3 References: RHEL-07-040500, SV-86893r2_rule, AU-8(1)(a), CCI-001891, CCI-002046, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144 | ||||||||||||||||||||||||||||||||||||
Description | The maxpoll 10 | ||||||||||||||||||||||||||||||||||||
Rationale | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. | ||||||||||||||||||||||||||||||||||||
OVAL details check if maxpoll is set in /etc/ntp.conf passed because these items were not found:Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type textfilecontent54_object
State oval:ssg-state_time_service_set_maxpoll:ste:1 of type textfilecontent54_state
check if all server entries have maxpoll set in /etc/ntp.conf passed because these items were not found:Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type textfilecontent54_object
State oval:ssg-state_server_has_maxpoll:ste:1 of type textfilecontent54_state
check if maxpoll is set in /etc/chrony.conf passed because of these items:
check if all server entries have maxpoll set in /etc/chrony.conf passed because of these items:
|
Prevent Unrestricted Mail Relaying
Rule ID | xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay |
Result | notchecked |
Time | 2018-04-30T11:15:09 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80512-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040680, SV-86921r2_rule |
Description | Modify the /etc/postfix/main.cffile to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' |
Rationale | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. |
Configure LDAP Client to Use TLS For All Transactions
Rule ID | xccdf_org.ssgproject.content_rule_ldap_client_start_tls | ||||
Result | pass | ||||
Time | 2018-04-30T11:15:09 | ||||
Severity | medium | ||||
Identifiers and References | Identifiers: CCE-80291-8 References: RHEL-07-040180, SV-86851r2_rule, AC-17(2), CM-7, CCI-001453, SRG-OS-000250-GPOS-00093 | ||||
Description | This check verifies that RHEL7 implements cryptography
to protect the integrity of remote LDAP authentication sessions.
$ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes , then LDAP is being used. To check if LDAP is
configured to use TLS, use the following command:
$ sudo grep -i ssl /etc/pam_ldap.conf | ||||
Rationale | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. | ||||
OVAL details Tests the value of the ssl start_tls setting in the /etc/nslcd.conf file passed because of these items:
|
Mount Remote Filesystems with nosuid
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-80240-5 References: RHEL-07-021020, SV-86669r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | ||||||||||||||
OVAL details no nfs passed because these items were not found:Object oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1 of type textfilecontent54_object
all nfs has nosuid passed because these items were not found:Object oval:ssg-object_nfs_nosuid_etc_fstab:obj:1 of type textfilecontent54_object
State oval:ssg-state_remote_filesystem_nosuid:ste:1 of type textfilecontent54_state
|
Mount Remote Filesystems with noexec
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-80436-9 References: RHEL-07-021021, SV-87813r1_rule, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. | ||||||||||||||
OVAL details no nfs passed because these items were not found:Object oval:ssg-object_no_nfs_defined_etc_fstab_noexec:obj:1 of type textfilecontent54_object
all nfs has noexec passed because these items were not found:Object oval:ssg-object_nfs_noexec_etc_fstab:obj:1 of type textfilecontent54_object
State oval:ssg-state_remote_filesystem_noexec:ste:1 of type textfilecontent54_state
|
Mount Remote Filesystems with Kerberos Security
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2018-04-30T11:15:09 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | Identifiers: CCE-27458-9 References: RHEL-07-040750, SV-86935r3_rule, AC-14(1), CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||||||||||
Description |
Add the | ||||||||||||||
Rationale | When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. | ||||||||||||||
OVAL details no nfs passed because these items were not found:Object oval:ssg-object_no_nfs_defined_etc_fstab_krb_sec:obj:1 of type textfilecontent54_object
all nfs has krb_sec passed because these items were not found:Object oval:ssg-object_nfs_krb_sec_etc_fstab:obj:1 of type textfilecontent54_object
State oval:ssg-state_remote_filesystem_krb_sec:ste:1 of type textfilecontent54_state
|
Uninstall vsftpd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_vsftpd_removed | ||
Result | pass | ||
Time | 2018-04-30T11:15:09 | ||
Severity | high | ||
Identifiers and References | Identifiers: CCE-80245-4 References: RHEL-07-040690, SV-86923r1_rule, CM-6(b), CM-7, CCI-000366, SRG-OS-000480-GPOS-00227 | ||
Description |
The $ sudo yum erase vsftpd | ||
Rationale | Removing the vsftpd package decreases the risk of its accidental activation. | ||
OVAL details package vsftpd is removed passed because these items were not found:Object oval:ssg-obj_package_vsftpd_removed:obj:1 of type rpminfo_object
|
Ensure Default SNMP Password Is Not Used
Rule ID | xccdf_org.ssgproject.content_rule_snmpd_not_default_password | ||||||
Result | pass | ||||||
Time | 2018-04-30T11:15:09 | ||||||
Severity | high | ||||||
Identifiers and References | Identifiers: CCE-27386-2 References: RHEL-07-040800, SV-86937r1_rule, IA-5.1(ii), CCI-000366, SRG-OS-000480-GPOS-00227 | ||||||
Description |
Edit $ sudo service snmpd restart | ||||||
Rationale | Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). | ||||||
OVAL details Check snmpd configuration passed because these items were not found:Object oval:ssg-object_snmp_default_communities:obj:1 of type textfilecontent54_object
|