From 147ad40e23d8bd1c839baa001105c659e732c7cd Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Mon, 21 Sep 2020 15:30:47 +0200

Subject: [PATCH 1/4] Fix severity of RHEL 7 STIG rules.

---

 rhel7/profiles/stig.profile | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile

index b820d30608..57e88de210 100644

--- a/rhel7/profiles/stig.profile

+++ b/rhel7/profiles/stig.profile

@@ -104,6 +104,7 @@ selections:

     - grub2_password

     - require_singleuser_auth

     - grub2_uefi_password

+    - grub2_uefi_password.severity=high

     - smartcard_auth

     - package_rsh-server_removed

     - package_ypserv_removed

@@ -157,6 +158,7 @@ selections:

     - grub2_enable_fips_mode

     - aide_verify_acls

     - aide_verify_ext_attributes

+    - aide_verify_ext_attributes.severity=low

     - aide_use_fips_hashes

     - grub2_no_removeable_media

     - uefi_no_removeable_media

@@ -297,6 +299,9 @@ selections:

     - sysctl_net_ipv4_conf_all_accept_redirects

     - wireless_disable_interfaces

     - mount_option_dev_shm_nodev

+    - mount_option_dev_shm_nodev.severity=low

     - mount_option_dev_shm_noexec

+    - mount_option_dev_shm_noexec.severity=low

     - mount_option_dev_shm_nosuid

+    - mount_option_dev_shm_nosuid.severity=low

     - audit_rules_privileged_commands_mount

From 1e6ae626c138106ec8884f0863b09d0e628ae68f Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Mon, 21 Sep 2020 15:44:44 +0200

Subject: [PATCH 2/4] Revert severity of some rules and refine on a profile

 basis.

These rules had been previously severity mappings from NIST 800-53 and

we should keep them as they were and refine as needed on the profile

level.

---

 .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml        | 2 +-

 .../accounts-session/accounts_logon_fail_delay/rule.yml         | 2 +-

 rhel7/profiles/stig.profile                                     | 2 ++

 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

index 95e11e5787..2ead6f7896 100644

--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

@@ -10,7 +10,7 @@ rationale: |-

     Removing the <tt>vsftpd</tt> package decreases the risk of its

     accidental activation.

-severity: high

+severity: low

 identifiers:

     cce@rhel6: CCE-26687-4

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

index 08f81100f4..bb7c17108a 100644

--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

@@ -11,7 +11,7 @@ rationale: |-

     Increasing the time between a failed authentication attempt and re-prompting to

     enter credentials helps to slow a single-threaded brute force attack.

-severity: medium

+severity: low

 identifiers:

     cce@rhel7: CCE-80352-8

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile

index 57e88de210..f3f94a66ba 100644

--- a/rhel7/profiles/stig.profile

+++ b/rhel7/profiles/stig.profile

@@ -97,6 +97,7 @@ selections:

     - sudo_remove_nopasswd

     - sudo_remove_no_authenticate

     - accounts_logon_fail_delay

+    - accounts_logon_fail_delay.severity=medium

     - gnome_gdm_disable_automatic_login

     - gnome_gdm_disable_guest_login

     - sshd_do_not_permit_user_env

@@ -274,6 +275,7 @@ selections:

     - network_sniffer_disabled

     - postfix_prevent_unrestricted_relay

     - package_vsftpd_removed

+    - package_vsftpd_removed.severity=high

     - package_tftp-server_removed

     - sshd_enable_x11_forwarding

     - tftpd_uses_secure_mode

From 4dcb7e0cfe8a59f7490e4eb4da18acc3a96e06a5 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Fri, 2 Oct 2020 17:18:19 +0200

Subject: [PATCH 3/4] Revert to previous severity since what's in the STIG

 takes precedence.

---

 .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml        | 2 +-

 .../accounts-session/accounts_logon_fail_delay/rule.yml         | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

index 2ead6f7896..95e11e5787 100644

--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

@@ -10,7 +10,7 @@ rationale: |-

     Removing the <tt>vsftpd</tt> package decreases the risk of its

     accidental activation.

-severity: low

+severity: high

 identifiers:

     cce@rhel6: CCE-26687-4

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

index bb7c17108a..08f81100f4 100644

--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

@@ -11,7 +11,7 @@ rationale: |-

     Increasing the time between a failed authentication attempt and re-prompting to

     enter credentials helps to slow a single-threaded brute force attack.

-severity: low

+severity: medium

 identifiers:

     cce@rhel7: CCE-80352-8

From 0da43ce6d4758a540ba3276a8c51819be643f709 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Fri, 2 Oct 2020 17:38:03 +0200

Subject: [PATCH 4/4] Remove severity refinement from profile and change on a

 rule level.

---

 .../system/bootloader-grub2/grub2_uefi_password/rule.yml   | 2 +-

 .../partitions/mount_option_dev_shm_nodev/rule.yml         | 2 +-

 .../partitions/mount_option_dev_shm_noexec/rule.yml        | 2 +-

 .../partitions/mount_option_dev_shm_nosuid/rule.yml        | 2 +-

 .../aide/aide_verify_ext_attributes/rule.yml               | 2 +-

 rhel7/profiles/stig.profile                                | 7 -------

 6 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml

index e07094177b..0184c601a0 100644

--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml

+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml

@@ -24,7 +24,7 @@ rationale: |-

     important bootloader settings. These include which kernel to use,

     and whether to enter single-user mode.

-severity: medium

+severity: high

 identifiers:

     cce@rhel7: CCE-80354-4

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml

index 4f01edeebc..4a06fd5f2f 100644

--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml

+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml

@@ -14,7 +14,7 @@ rationale: |-

 {{{ complete_ocil_entry_mount_option("/dev/shm", "nodev") }}}

-severity: medium

+severity: low

 identifiers:

     cce@rhel6: CCE-26778-1

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml

index 0074e898c6..eaab02ff6d 100644

--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml

+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml

@@ -17,7 +17,7 @@ rationale: |-

 {{{ complete_ocil_entry_mount_option("/dev/shm", "noexec") }}}

-severity: medium

+severity: low

 identifiers:

     cce@rhel6: CCE-26622-1

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml

index e0eabc2a9e..3771bf2451 100644

--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml

+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml

@@ -14,7 +14,7 @@ rationale: |-

 {{{ complete_ocil_entry_mount_option("/dev/shm", "nosuid") }}}

-severity: medium

+severity: low

 identifiers:

     cce@rhel6: CCE-26486-1

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml

index 9dba1deca5..2e81a270c5 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml

@@ -17,7 +17,7 @@ rationale: |-

     Extended attributes in file systems are used to contain arbitrary data and file metadata

     with security implications.

-severity: medium

+severity: low

 identifiers:

     cce@rhel7: CCE-80376-7

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile

index f3f94a66ba..b820d30608 100644

--- a/rhel7/profiles/stig.profile

+++ b/rhel7/profiles/stig.profile

@@ -97,7 +97,6 @@ selections:

     - sudo_remove_nopasswd

     - sudo_remove_no_authenticate

     - accounts_logon_fail_delay

-    - accounts_logon_fail_delay.severity=medium

     - gnome_gdm_disable_automatic_login

     - gnome_gdm_disable_guest_login

     - sshd_do_not_permit_user_env

@@ -105,7 +104,6 @@ selections:

     - grub2_password

     - require_singleuser_auth

     - grub2_uefi_password

-    - grub2_uefi_password.severity=high

     - smartcard_auth

     - package_rsh-server_removed

     - package_ypserv_removed

@@ -159,7 +157,6 @@ selections:

     - grub2_enable_fips_mode

     - aide_verify_acls

     - aide_verify_ext_attributes

-    - aide_verify_ext_attributes.severity=low

     - aide_use_fips_hashes

     - grub2_no_removeable_media

     - uefi_no_removeable_media

@@ -275,7 +272,6 @@ selections:

     - network_sniffer_disabled

     - postfix_prevent_unrestricted_relay

     - package_vsftpd_removed

-    - package_vsftpd_removed.severity=high

     - package_tftp-server_removed

     - sshd_enable_x11_forwarding

     - tftpd_uses_secure_mode

@@ -301,9 +297,6 @@ selections:

     - sysctl_net_ipv4_conf_all_accept_redirects

     - wireless_disable_interfaces

     - mount_option_dev_shm_nodev

-    - mount_option_dev_shm_nodev.severity=low

     - mount_option_dev_shm_noexec

-    - mount_option_dev_shm_noexec.severity=low

     - mount_option_dev_shm_nosuid

-    - mount_option_dev_shm_nosuid.severity=low

     - audit_rules_privileged_commands_mount