From 147ad40e23d8bd1c839baa001105c659e732c7cd Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 21 Sep 2020 15:30:47 +0200 Subject: [PATCH 1/4] Fix severity of RHEL 7 STIG rules. --- rhel7/profiles/stig.profile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index b820d30608..57e88de210 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -104,6 +104,7 @@ selections: - grub2_password - require_singleuser_auth - grub2_uefi_password + - grub2_uefi_password.severity=high - smartcard_auth - package_rsh-server_removed - package_ypserv_removed @@ -157,6 +158,7 @@ selections: - grub2_enable_fips_mode - aide_verify_acls - aide_verify_ext_attributes + - aide_verify_ext_attributes.severity=low - aide_use_fips_hashes - grub2_no_removeable_media - uefi_no_removeable_media @@ -297,6 +299,9 @@ selections: - sysctl_net_ipv4_conf_all_accept_redirects - wireless_disable_interfaces - mount_option_dev_shm_nodev + - mount_option_dev_shm_nodev.severity=low - mount_option_dev_shm_noexec + - mount_option_dev_shm_noexec.severity=low - mount_option_dev_shm_nosuid + - mount_option_dev_shm_nosuid.severity=low - audit_rules_privileged_commands_mount From 1e6ae626c138106ec8884f0863b09d0e628ae68f Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 21 Sep 2020 15:44:44 +0200 Subject: [PATCH 2/4] Revert severity of some rules and refine on a profile basis. These rules had been previously severity mappings from NIST 800-53 and we should keep them as they were and refine as needed on the profile level. --- .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml | 2 +- .../accounts-session/accounts_logon_fail_delay/rule.yml | 2 +- rhel7/profiles/stig.profile | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 95e11e5787..2ead6f7896 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -10,7 +10,7 @@ rationale: |- Removing the vsftpd package decreases the risk of its accidental activation. -severity: high +severity: low identifiers: cce@rhel6: CCE-26687-4 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index 08f81100f4..bb7c17108a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -11,7 +11,7 @@ rationale: |- Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. -severity: medium +severity: low identifiers: cce@rhel7: CCE-80352-8 diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index 57e88de210..f3f94a66ba 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -97,6 +97,7 @@ selections: - sudo_remove_nopasswd - sudo_remove_no_authenticate - accounts_logon_fail_delay + - accounts_logon_fail_delay.severity=medium - gnome_gdm_disable_automatic_login - gnome_gdm_disable_guest_login - sshd_do_not_permit_user_env @@ -274,6 +275,7 @@ selections: - network_sniffer_disabled - postfix_prevent_unrestricted_relay - package_vsftpd_removed + - package_vsftpd_removed.severity=high - package_tftp-server_removed - sshd_enable_x11_forwarding - tftpd_uses_secure_mode From 4dcb7e0cfe8a59f7490e4eb4da18acc3a96e06a5 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 2 Oct 2020 17:18:19 +0200 Subject: [PATCH 3/4] Revert to previous severity since what's in the STIG takes precedence. --- .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml | 2 +- .../accounts-session/accounts_logon_fail_delay/rule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 2ead6f7896..95e11e5787 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -10,7 +10,7 @@ rationale: |- Removing the vsftpd package decreases the risk of its accidental activation. -severity: low +severity: high identifiers: cce@rhel6: CCE-26687-4 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index bb7c17108a..08f81100f4 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -11,7 +11,7 @@ rationale: |- Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. -severity: low +severity: medium identifiers: cce@rhel7: CCE-80352-8 From 0da43ce6d4758a540ba3276a8c51819be643f709 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 2 Oct 2020 17:38:03 +0200 Subject: [PATCH 4/4] Remove severity refinement from profile and change on a rule level. --- .../system/bootloader-grub2/grub2_uefi_password/rule.yml | 2 +- .../partitions/mount_option_dev_shm_nodev/rule.yml | 2 +- .../partitions/mount_option_dev_shm_noexec/rule.yml | 2 +- .../partitions/mount_option_dev_shm_nosuid/rule.yml | 2 +- .../aide/aide_verify_ext_attributes/rule.yml | 2 +- rhel7/profiles/stig.profile | 7 ------- 6 files changed, 5 insertions(+), 12 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml index e07094177b..0184c601a0 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml @@ -24,7 +24,7 @@ rationale: |- important bootloader settings. These include which kernel to use, and whether to enter single-user mode. -severity: medium +severity: high identifiers: cce@rhel7: CCE-80354-4 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml index 4f01edeebc..4a06fd5f2f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml @@ -14,7 +14,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/dev/shm", "nodev") }}} -severity: medium +severity: low identifiers: cce@rhel6: CCE-26778-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml index 0074e898c6..eaab02ff6d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml @@ -17,7 +17,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/dev/shm", "noexec") }}} -severity: medium +severity: low identifiers: cce@rhel6: CCE-26622-1 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml index e0eabc2a9e..3771bf2451 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml @@ -14,7 +14,7 @@ rationale: |- {{{ complete_ocil_entry_mount_option("/dev/shm", "nosuid") }}} -severity: medium +severity: low identifiers: cce@rhel6: CCE-26486-1 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 9dba1deca5..2e81a270c5 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -17,7 +17,7 @@ rationale: |- Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. -severity: medium +severity: low identifiers: cce@rhel7: CCE-80376-7 diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index f3f94a66ba..b820d30608 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -97,7 +97,6 @@ selections: - sudo_remove_nopasswd - sudo_remove_no_authenticate - accounts_logon_fail_delay - - accounts_logon_fail_delay.severity=medium - gnome_gdm_disable_automatic_login - gnome_gdm_disable_guest_login - sshd_do_not_permit_user_env @@ -105,7 +104,6 @@ selections: - grub2_password - require_singleuser_auth - grub2_uefi_password - - grub2_uefi_password.severity=high - smartcard_auth - package_rsh-server_removed - package_ypserv_removed @@ -159,7 +157,6 @@ selections: - grub2_enable_fips_mode - aide_verify_acls - aide_verify_ext_attributes - - aide_verify_ext_attributes.severity=low - aide_use_fips_hashes - grub2_no_removeable_media - uefi_no_removeable_media @@ -275,7 +272,6 @@ selections: - network_sniffer_disabled - postfix_prevent_unrestricted_relay - package_vsftpd_removed - - package_vsftpd_removed.severity=high - package_tftp-server_removed - sshd_enable_x11_forwarding - tftpd_uses_secure_mode @@ -301,9 +297,6 @@ selections: - sysctl_net_ipv4_conf_all_accept_redirects - wireless_disable_interfaces - mount_option_dev_shm_nodev - - mount_option_dev_shm_nodev.severity=low - mount_option_dev_shm_noexec - - mount_option_dev_shm_noexec.severity=low - mount_option_dev_shm_nosuid - - mount_option_dev_shm_nosuid.severity=low - audit_rules_privileged_commands_mount