|
 |
fe0dde |
From 147ad40e23d8bd1c839baa001105c659e732c7cd Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Mon, 21 Sep 2020 15:30:47 +0200
|
|
|
fe0dde |
Subject: [PATCH 1/4] Fix severity of RHEL 7 STIG rules.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
rhel7/profiles/stig.profile | 5 +++++
|
|
|
fe0dde |
1 file changed, 5 insertions(+)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
index b820d30608..57e88de210 100644
|
|
|
fe0dde |
--- a/rhel7/profiles/stig.profile
|
|
|
fe0dde |
+++ b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
@@ -104,6 +104,7 @@ selections:
|
|
|
fe0dde |
- grub2_password
|
|
|
fe0dde |
- require_singleuser_auth
|
|
|
fe0dde |
- grub2_uefi_password
|
|
|
fe0dde |
+ - grub2_uefi_password.severity=high
|
|
|
fe0dde |
- smartcard_auth
|
|
|
fe0dde |
- package_rsh-server_removed
|
|
|
fe0dde |
- package_ypserv_removed
|
|
|
fe0dde |
@@ -157,6 +158,7 @@ selections:
|
|
|
fe0dde |
- grub2_enable_fips_mode
|
|
|
fe0dde |
- aide_verify_acls
|
|
|
fe0dde |
- aide_verify_ext_attributes
|
|
|
fe0dde |
+ - aide_verify_ext_attributes.severity=low
|
|
|
fe0dde |
- aide_use_fips_hashes
|
|
|
fe0dde |
- grub2_no_removeable_media
|
|
|
fe0dde |
- uefi_no_removeable_media
|
|
|
fe0dde |
@@ -297,6 +299,9 @@ selections:
|
|
|
fe0dde |
- sysctl_net_ipv4_conf_all_accept_redirects
|
|
|
fe0dde |
- wireless_disable_interfaces
|
|
|
fe0dde |
- mount_option_dev_shm_nodev
|
|
|
fe0dde |
+ - mount_option_dev_shm_nodev.severity=low
|
|
|
fe0dde |
- mount_option_dev_shm_noexec
|
|
|
fe0dde |
+ - mount_option_dev_shm_noexec.severity=low
|
|
|
fe0dde |
- mount_option_dev_shm_nosuid
|
|
|
fe0dde |
+ - mount_option_dev_shm_nosuid.severity=low
|
|
|
fe0dde |
- audit_rules_privileged_commands_mount
|
|
|
fe0dde |
|
|
|
fe0dde |
From 1e6ae626c138106ec8884f0863b09d0e628ae68f Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Mon, 21 Sep 2020 15:44:44 +0200
|
|
|
fe0dde |
Subject: [PATCH 2/4] Revert severity of some rules and refine on a profile
|
|
|
fe0dde |
basis.
|
|
|
fe0dde |
|
|
|
fe0dde |
These rules had been previously severity mappings from NIST 800-53 and
|
|
|
fe0dde |
we should keep them as they were and refine as needed on the profile
|
|
|
fe0dde |
level.
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml | 2 +-
|
|
|
fe0dde |
.../accounts-session/accounts_logon_fail_delay/rule.yml | 2 +-
|
|
|
fe0dde |
rhel7/profiles/stig.profile | 2 ++
|
|
|
fe0dde |
3 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
|
|
fe0dde |
index 95e11e5787..2ead6f7896 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
|
|
fe0dde |
@@ -10,7 +10,7 @@ rationale: |-
|
|
|
fe0dde |
Removing the <tt>vsftpd</tt> package decreases the risk of its
|
|
|
fe0dde |
accidental activation.
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: high
|
|
|
fe0dde |
+severity: low
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel6: CCE-26687-4
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
|
|
fe0dde |
index 08f81100f4..bb7c17108a 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
|
|
fe0dde |
@@ -11,7 +11,7 @@ rationale: |-
|
|
|
fe0dde |
Increasing the time between a failed authentication attempt and re-prompting to
|
|
|
fe0dde |
enter credentials helps to slow a single-threaded brute force attack.
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: medium
|
|
|
fe0dde |
+severity: low
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel7: CCE-80352-8
|
|
|
fe0dde |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
index 57e88de210..f3f94a66ba 100644
|
|
|
fe0dde |
--- a/rhel7/profiles/stig.profile
|
|
|
fe0dde |
+++ b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
@@ -97,6 +97,7 @@ selections:
|
|
|
fe0dde |
- sudo_remove_nopasswd
|
|
|
fe0dde |
- sudo_remove_no_authenticate
|
|
|
fe0dde |
- accounts_logon_fail_delay
|
|
|
fe0dde |
+ - accounts_logon_fail_delay.severity=medium
|
|
|
fe0dde |
- gnome_gdm_disable_automatic_login
|
|
|
fe0dde |
- gnome_gdm_disable_guest_login
|
|
|
fe0dde |
- sshd_do_not_permit_user_env
|
|
|
fe0dde |
@@ -274,6 +275,7 @@ selections:
|
|
|
fe0dde |
- network_sniffer_disabled
|
|
|
fe0dde |
- postfix_prevent_unrestricted_relay
|
|
|
fe0dde |
- package_vsftpd_removed
|
|
|
fe0dde |
+ - package_vsftpd_removed.severity=high
|
|
|
fe0dde |
- package_tftp-server_removed
|
|
|
fe0dde |
- sshd_enable_x11_forwarding
|
|
|
fe0dde |
- tftpd_uses_secure_mode
|
|
|
fe0dde |
|
|
|
fe0dde |
From 4dcb7e0cfe8a59f7490e4eb4da18acc3a96e06a5 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Fri, 2 Oct 2020 17:18:19 +0200
|
|
|
fe0dde |
Subject: [PATCH 3/4] Revert to previous severity since what's in the STIG
|
|
|
fe0dde |
takes precedence.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml | 2 +-
|
|
|
fe0dde |
.../accounts-session/accounts_logon_fail_delay/rule.yml | 2 +-
|
|
|
fe0dde |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
|
|
fe0dde |
index 2ead6f7896..95e11e5787 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
|
|
|
fe0dde |
@@ -10,7 +10,7 @@ rationale: |-
|
|
|
fe0dde |
Removing the <tt>vsftpd</tt> package decreases the risk of its
|
|
|
fe0dde |
accidental activation.
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: low
|
|
|
fe0dde |
+severity: high
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel6: CCE-26687-4
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
|
|
fe0dde |
index bb7c17108a..08f81100f4 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
|
|
|
fe0dde |
@@ -11,7 +11,7 @@ rationale: |-
|
|
|
fe0dde |
Increasing the time between a failed authentication attempt and re-prompting to
|
|
|
fe0dde |
enter credentials helps to slow a single-threaded brute force attack.
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: low
|
|
|
fe0dde |
+severity: medium
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel7: CCE-80352-8
|
|
|
fe0dde |
|
|
|
fe0dde |
From 0da43ce6d4758a540ba3276a8c51819be643f709 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Fri, 2 Oct 2020 17:38:03 +0200
|
|
|
fe0dde |
Subject: [PATCH 4/4] Remove severity refinement from profile and change on a
|
|
|
fe0dde |
rule level.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../system/bootloader-grub2/grub2_uefi_password/rule.yml | 2 +-
|
|
|
fe0dde |
.../partitions/mount_option_dev_shm_nodev/rule.yml | 2 +-
|
|
|
fe0dde |
.../partitions/mount_option_dev_shm_noexec/rule.yml | 2 +-
|
|
|
fe0dde |
.../partitions/mount_option_dev_shm_nosuid/rule.yml | 2 +-
|
|
|
fe0dde |
.../aide/aide_verify_ext_attributes/rule.yml | 2 +-
|
|
|
fe0dde |
rhel7/profiles/stig.profile | 7 -------
|
|
|
fe0dde |
6 files changed, 5 insertions(+), 12 deletions(-)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
|
|
fe0dde |
index e07094177b..0184c601a0 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
|
|
fe0dde |
@@ -24,7 +24,7 @@ rationale: |-
|
|
|
fe0dde |
important bootloader settings. These include which kernel to use,
|
|
|
fe0dde |
and whether to enter single-user mode.
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: medium
|
|
|
fe0dde |
+severity: high
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel7: CCE-80354-4
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
|
|
|
fe0dde |
index 4f01edeebc..4a06fd5f2f 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
|
|
|
fe0dde |
@@ -14,7 +14,7 @@ rationale: |-
|
|
|
fe0dde |
|
|
|
fe0dde |
{{{ complete_ocil_entry_mount_option("/dev/shm", "nodev") }}}
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: medium
|
|
|
fe0dde |
+severity: low
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel6: CCE-26778-1
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
|
|
|
fe0dde |
index 0074e898c6..eaab02ff6d 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
|
|
|
fe0dde |
@@ -17,7 +17,7 @@ rationale: |-
|
|
|
fe0dde |
|
|
|
fe0dde |
{{{ complete_ocil_entry_mount_option("/dev/shm", "noexec") }}}
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: medium
|
|
|
fe0dde |
+severity: low
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel6: CCE-26622-1
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
|
|
|
fe0dde |
index e0eabc2a9e..3771bf2451 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
|
|
|
fe0dde |
@@ -14,7 +14,7 @@ rationale: |-
|
|
|
fe0dde |
|
|
|
fe0dde |
{{{ complete_ocil_entry_mount_option("/dev/shm", "nosuid") }}}
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: medium
|
|
|
fe0dde |
+severity: low
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel6: CCE-26486-1
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
|
|
fe0dde |
index 9dba1deca5..2e81a270c5 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
|
|
fe0dde |
@@ -17,7 +17,7 @@ rationale: |-
|
|
|
fe0dde |
Extended attributes in file systems are used to contain arbitrary data and file metadata
|
|
|
fe0dde |
with security implications.
|
|
|
fe0dde |
|
|
|
fe0dde |
-severity: medium
|
|
|
fe0dde |
+severity: low
|
|
|
fe0dde |
|
|
|
fe0dde |
identifiers:
|
|
|
fe0dde |
cce@rhel7: CCE-80376-7
|
|
|
fe0dde |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
index f3f94a66ba..b820d30608 100644
|
|
|
fe0dde |
--- a/rhel7/profiles/stig.profile
|
|
|
fe0dde |
+++ b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
@@ -97,7 +97,6 @@ selections:
|
|
|
fe0dde |
- sudo_remove_nopasswd
|
|
|
fe0dde |
- sudo_remove_no_authenticate
|
|
|
fe0dde |
- accounts_logon_fail_delay
|
|
|
fe0dde |
- - accounts_logon_fail_delay.severity=medium
|
|
|
fe0dde |
- gnome_gdm_disable_automatic_login
|
|
|
fe0dde |
- gnome_gdm_disable_guest_login
|
|
|
fe0dde |
- sshd_do_not_permit_user_env
|
|
|
fe0dde |
@@ -105,7 +104,6 @@ selections:
|
|
|
fe0dde |
- grub2_password
|
|
|
fe0dde |
- require_singleuser_auth
|
|
|
fe0dde |
- grub2_uefi_password
|
|
|
fe0dde |
- - grub2_uefi_password.severity=high
|
|
|
fe0dde |
- smartcard_auth
|
|
|
fe0dde |
- package_rsh-server_removed
|
|
|
fe0dde |
- package_ypserv_removed
|
|
|
fe0dde |
@@ -159,7 +157,6 @@ selections:
|
|
|
fe0dde |
- grub2_enable_fips_mode
|
|
|
fe0dde |
- aide_verify_acls
|
|
|
fe0dde |
- aide_verify_ext_attributes
|
|
|
fe0dde |
- - aide_verify_ext_attributes.severity=low
|
|
|
fe0dde |
- aide_use_fips_hashes
|
|
|
fe0dde |
- grub2_no_removeable_media
|
|
|
fe0dde |
- uefi_no_removeable_media
|
|
|
fe0dde |
@@ -275,7 +272,6 @@ selections:
|
|
|
fe0dde |
- network_sniffer_disabled
|
|
|
fe0dde |
- postfix_prevent_unrestricted_relay
|
|
|
fe0dde |
- package_vsftpd_removed
|
|
|
fe0dde |
- - package_vsftpd_removed.severity=high
|
|
|
fe0dde |
- package_tftp-server_removed
|
|
|
fe0dde |
- sshd_enable_x11_forwarding
|
|
|
fe0dde |
- tftpd_uses_secure_mode
|
|
|
fe0dde |
@@ -301,9 +297,6 @@ selections:
|
|
|
fe0dde |
- sysctl_net_ipv4_conf_all_accept_redirects
|
|
|
fe0dde |
- wireless_disable_interfaces
|
|
|
fe0dde |
- mount_option_dev_shm_nodev
|
|
|
fe0dde |
- - mount_option_dev_shm_nodev.severity=low
|
|
|
fe0dde |
- mount_option_dev_shm_noexec
|
|
|
fe0dde |
- - mount_option_dev_shm_noexec.severity=low
|
|
|
fe0dde |
- mount_option_dev_shm_nosuid
|
|
|
fe0dde |
- - mount_option_dev_shm_nosuid.severity=low
|
|
|
fe0dde |
- audit_rules_privileged_commands_mount
|