|
|
ff1465 |
commit ed9b2df569f3cbc7fcfaf475a0f18d6108b9a244
|
|
|
ff1465 |
Author: Watson Sato <wsato@redhat.com>
|
|
|
ff1465 |
Date: Fri Feb 25 18:12:54 2022 +0100
|
|
|
ff1465 |
|
|
|
ff1465 |
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch.
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
ff1465 |
index 5b2cc0f..a641eee 100644
|
|
|
ff1465 |
--- a/products/rhel8/profiles/stig.profile
|
|
|
ff1465 |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
ff1465 |
@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
|
|
|
ff1465 |
|
|
|
ff1465 |
description: |-
|
|
|
ff1465 |
This profile contains configuration checks that align to the
|
|
|
ff1465 |
- DISA STIG for Red Hat Enterprise Linux 8 V1R4.
|
|
|
ff1465 |
+ DISA STIG for Red Hat Enterprise Linux 8 V1R5.
|
|
|
ff1465 |
|
|
|
ff1465 |
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
|
|
ff1465 |
configuration baseline as applicable to the operating system tier of
|
|
|
ff1465 |
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
|
|
|
ff1465 |
index e1f0f71..07ff3cb 100644
|
|
|
ff1465 |
--- a/products/rhel8/profiles/stig_gui.profile
|
|
|
ff1465 |
+++ b/products/rhel8/profiles/stig_gui.profile
|
|
|
ff1465 |
@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
|
|
|
ff1465 |
|
|
|
ff1465 |
description: |-
|
|
|
ff1465 |
This profile contains configuration checks that align to the
|
|
|
ff1465 |
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R4.
|
|
|
ff1465 |
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R5.
|
|
|
ff1465 |
|
|
|
ff1465 |
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
|
|
|
ff1465 |
configuration baseline as applicable to the operating system tier of
|
|
|
ff1465 |
diff --git a/shared/references/disa-stig-rhel8-v1r4-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml
|
|
|
ff1465 |
similarity index 81%
|
|
|
ff1465 |
rename from shared/references/disa-stig-rhel8-v1r4-xccdf-manual.xml
|
|
|
ff1465 |
rename to shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml
|
|
|
ff1465 |
index 46c5fa1..216e91f 100644
|
|
|
ff1465 |
--- a/shared/references/disa-stig-rhel8-v1r4-xccdf-manual.xml
|
|
|
ff1465 |
+++ b/shared/references/disa-stig-rhel8-v1r5-xccdf-manual.xml
|
|
|
ff1465 |
@@ -1,4 +1,4 @@
|
|
|
ff1465 |
-<Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-08-18">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 4 Benchmark Date: 27 Oct 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230297" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230391" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230414" selected="true" /><select idref="V-230415" selected="true" /><select idref="V-230416" selected="true" /><select idref="V-230417" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230420" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230440" selected="true" /><select idref="V-230441" selected="true" /><select idref="V-230442" selected="true" /><select idref="V-230443" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230445" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230450" selected="true" /><select idref="V-230451" selected="true" /><select idref="V-230452" selected="true" /><select idref="V-230453" selected="true" /><select idref="V-230454" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230457" selected="true" /><select idref="V-230458" selected="true" /><select idref="V-230459" selected="true" /><select idref="V-230460" selected="true" /><select idref="V-230461" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244520" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /></Profile><Group id="V-230221"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230221r743913_rule" weight="10.0" severity="high"><version>RHEL-08-010000</version><title>RHEL 8 must be a vendor-supported release.</title><description><VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
|
|
|
ff1465 |
+<Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_8_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-12-03">accepted</status><title>Red Hat Enterprise Linux 8 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 5 Benchmark Date: 27 Jan 2022</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-230221" selected="true" /><select idref="V-230222" selected="true" /><select idref="V-230223" selected="true" /><select idref="V-230224" selected="true" /><select idref="V-230225" selected="true" /><select idref="V-230226" selected="true" /><select idref="V-230227" selected="true" /><select idref="V-230228" selected="true" /><select idref="V-230229" selected="true" /><select idref="V-230230" selected="true" /><select idref="V-230231" selected="true" /><select idref="V-230232" selected="true" /><select idref="V-230233" selected="true" /><select idref="V-230234" selected="true" /><select idref="V-230235" selected="true" /><select idref="V-230236" selected="true" /><select idref="V-230237" selected="true" /><select idref="V-230238" selected="true" /><select idref="V-230239" selected="true" /><select idref="V-230240" selected="true" /><select idref="V-230241" selected="true" /><select idref="V-230243" selected="true" /><select idref="V-230244" selected="true" /><select idref="V-230245" selected="true" /><select idref="V-230246" selected="true" /><select idref="V-230247" selected="true" /><select idref="V-230248" selected="true" /><select idref="V-230249" selected="true" /><select idref="V-230250" selected="true" /><select idref="V-230251" selected="true" /><select idref="V-230252" selected="true" /><select idref="V-230253" selected="true" /><select idref="V-230254" selected="true" /><select idref="V-230255" selected="true" /><select idref="V-230256" selected="true" /><select idref="V-230257" selected="true" /><select idref="V-230258" selected="true" /><select idref="V-230259" selected="true" /><select idref="V-230260" selected="true" /><select idref="V-230261" selected="true" /><select idref="V-230262" selected="true" /><select idref="V-230263" selected="true" /><select idref="V-230264" selected="true" /><select idref="V-230265" selected="true" /><select idref="V-230266" selected="true" /><select idref="V-230267" selected="true" /><select idref="V-230268" selected="true" /><select idref="V-230269" selected="true" /><select idref="V-230270" selected="true" /><select idref="V-230271" selected="true" /><select idref="V-230272" selected="true" /><select idref="V-230273" selected="true" /><select idref="V-230274" selected="true" /><select idref="V-230275" selected="true" /><select idref="V-230276" selected="true" /><select idref="V-230277" selected="true" /><select idref="V-230278" selected="true" /><select idref="V-230279" selected="true" /><select idref="V-230280" selected="true" /><select idref="V-230281" selected="true" /><select idref="V-230282" selected="true" /><select idref="V-230283" selected="true" /><select idref="V-230284" selected="true" /><select idref="V-230285" selected="true" /><select idref="V-230286" selected="true" /><select idref="V-230287" selected="true" /><select idref="V-230288" selected="true" /><select idref="V-230289" selected="true" /><select idref="V-230290" selected="true" /><select idref="V-230291" selected="true" /><select idref="V-230292" selected="true" /><select idref="V-230293" selected="true" /><select idref="V-230294" selected="true" /><select idref="V-230295" selected="true" /><select idref="V-230296" selected="true" /><select idref="V-230298" selected="true" /><select idref="V-230299" selected="true" /><select idref="V-230300" selected="true" /><select idref="V-230301" selected="true" /><select idref="V-230302" selected="true" /><select idref="V-230303" selected="true" /><select idref="V-230304" selected="true" /><select idref="V-230305" selected="true" /><select idref="V-230306" selected="true" /><select idref="V-230307" selected="true" /><select idref="V-230308" selected="true" /><select idref="V-230309" selected="true" /><select idref="V-230310" selected="true" /><select idref="V-230311" selected="true" /><select idref="V-230312" selected="true" /><select idref="V-230313" selected="true" /><select idref="V-230314" selected="true" /><select idref="V-230315" selected="true" /><select idref="V-230316" selected="true" /><select idref="V-230317" selected="true" /><select idref="V-230318" selected="true" /><select idref="V-230319" selected="true" /><select idref="V-230320" selected="true" /><select idref="V-230321" selected="true" /><select idref="V-230322" selected="true" /><select idref="V-230323" selected="true" /><select idref="V-230324" selected="true" /><select idref="V-230325" selected="true" /><select idref="V-230326" selected="true" /><select idref="V-230327" selected="true" /><select idref="V-230328" selected="true" /><select idref="V-230329" selected="true" /><select idref="V-230330" selected="true" /><select idref="V-230331" selected="true" /><select idref="V-230332" selected="true" /><select idref="V-230333" selected="true" /><select idref="V-230334" selected="true" /><select idref="V-230335" selected="true" /><select idref="V-230336" selected="true" /><select idref="V-230337" selected="true" /><select idref="V-230338" selected="true" /><select idref="V-230339" selected="true" /><select idref="V-230340" selected="true" /><select idref="V-230341" selected="true" /><select idref="V-230342" selected="true" /><select idref="V-230343" selected="true" /><select idref="V-230344" selected="true" /><select idref="V-230345" selected="true" /><select idref="V-230346" selected="true" /><select idref="V-230347" selected="true" /><select idref="V-230348" selected="true" /><select idref="V-230349" selected="true" /><select idref="V-230350" selected="true" /><select idref="V-230351" selected="true" /><select idref="V-230352" selected="true" /><select idref="V-230353" selected="true" /><select idref="V-230354" selected="true" /><select idref="V-230355" selected="true" /><select idref="V-230356" selected="true" /><select idref="V-230357" selected="true" /><select idref="V-230358" selected="true" /><select idref="V-230359" selected="true" /><select idref="V-230360" selected="true" /><select idref="V-230361" selected="true" /><select idref="V-230362" selected="true" /><select idref="V-230363" selected="true" /><select idref="V-230364" selected="true" /><select idref="V-230365" selected="true" /><select idref="V-230366" selected="true" /><select idref="V-230367" selected="true" /><select idref="V-230368" selected="true" /><select idref="V-230369" selected="true" /><select idref="V-230370" selected="true" /><select idref="V-230371" selected="true" /><select idref="V-230372" selected="true" /><select idref="V-230373" selected="true" /><select idref="V-230374" selected="true" /><select idref="V-230375" selected="true" /><select idref="V-230376" selected="true" /><select idref="V-230377" selected="true" /><select idref="V-230378" selected="true" /><select idref="V-230379" selected="true" /><select idref="V-230380" selected="true" /><select idref="V-230381" selected="true" /><select idref="V-230382" selected="true" /><select idref="V-230383" selected="true" /><select idref="V-230384" selected="true" /><select idref="V-230385" selected="true" /><select idref="V-230386" selected="true" /><select idref="V-230387" selected="true" /><select idref="V-230388" selected="true" /><select idref="V-230389" selected="true" /><select idref="V-230390" selected="true" /><select idref="V-230392" selected="true" /><select idref="V-230393" selected="true" /><select idref="V-230394" selected="true" /><select idref="V-230395" selected="true" /><select idref="V-230396" selected="true" /><select idref="V-230397" selected="true" /><select idref="V-230398" selected="true" /><select idref="V-230399" selected="true" /><select idref="V-230400" selected="true" /><select idref="V-230401" selected="true" /><select idref="V-230402" selected="true" /><select idref="V-230403" selected="true" /><select idref="V-230404" selected="true" /><select idref="V-230405" selected="true" /><select idref="V-230406" selected="true" /><select idref="V-230407" selected="true" /><select idref="V-230408" selected="true" /><select idref="V-230409" selected="true" /><select idref="V-230410" selected="true" /><select idref="V-230411" selected="true" /><select idref="V-230412" selected="true" /><select idref="V-230413" selected="true" /><select idref="V-230418" selected="true" /><select idref="V-230419" selected="true" /><select idref="V-230421" selected="true" /><select idref="V-230422" selected="true" /><select idref="V-230423" selected="true" /><select idref="V-230424" selected="true" /><select idref="V-230425" selected="true" /><select idref="V-230426" selected="true" /><select idref="V-230427" selected="true" /><select idref="V-230428" selected="true" /><select idref="V-230429" selected="true" /><select idref="V-230430" selected="true" /><select idref="V-230431" selected="true" /><select idref="V-230432" selected="true" /><select idref="V-230433" selected="true" /><select idref="V-230434" selected="true" /><select idref="V-230435" selected="true" /><select idref="V-230436" selected="true" /><select idref="V-230437" selected="true" /><select idref="V-230438" selected="true" /><select idref="V-230439" selected="true" /><select idref="V-230444" selected="true" /><select idref="V-230446" selected="true" /><select idref="V-230447" selected="true" /><select idref="V-230448" selected="true" /><select idref="V-230449" selected="true" /><select idref="V-230455" selected="true" /><select idref="V-230456" selected="true" /><select idref="V-230462" selected="true" /><select idref="V-230463" selected="true" /><select idref="V-230464" selected="true" /><select idref="V-230465" selected="true" /><select idref="V-230466" selected="true" /><select idref="V-230467" selected="true" /><select idref="V-230468" selected="true" /><select idref="V-230469" selected="true" /><select idref="V-230470" selected="true" /><select idref="V-230471" selected="true" /><select idref="V-230472" selected="true" /><select idref="V-230473" selected="true" /><select idref="V-230474" selected="true" /><select idref="V-230475" selected="true" /><select idref="V-230476" selected="true" /><select idref="V-230477" selected="true" /><select idref="V-230478" selected="true" /><select idref="V-230479" selected="true" /><select idref="V-230480" selected="true" /><select idref="V-230481" selected="true" /><select idref="V-230482" selected="true" /><select idref="V-230483" selected="true" /><select idref="V-230484" selected="true" /><select idref="V-230485" selected="true" /><select idref="V-230486" selected="true" /><select idref="V-230487" selected="true" /><select idref="V-230488" selected="true" /><select idref="V-230489" selected="true" /><select idref="V-230491" selected="true" /><select idref="V-230492" selected="true" /><select idref="V-230493" selected="true" /><select idref="V-230494" selected="true" /><select idref="V-230495" selected="true" /><select idref="V-230496" selected="true" /><select idref="V-230497" selected="true" /><select idref="V-230498" selected="true" /><select idref="V-230499" selected="true" /><select idref="V-230500" selected="true" /><select idref="V-230502" selected="true" /><select idref="V-230503" selected="true" /><select idref="V-230504" selected="true" /><select idref="V-230505" selected="true" /><select idref="V-230506" selected="true" /><select idref="V-230507" selected="true" /><select idref="V-230508" selected="true" /><select idref="V-230509" selected="true" /><select idref="V-230510" selected="true" /><select idref="V-230511" selected="true" /><select idref="V-230512" selected="true" /><select idref="V-230513" selected="true" /><select idref="V-230514" selected="true" /><select idref="V-230515" selected="true" /><select idref="V-230516" selected="true" /><select idref="V-230517" selected="true" /><select idref="V-230518" selected="true" /><select idref="V-230519" selected="true" /><select idref="V-230520" selected="true" /><select idref="V-230521" selected="true" /><select idref="V-230522" selected="true" /><select idref="V-230523" selected="true" /><select idref="V-230524" selected="true" /><select idref="V-230525" selected="true" /><select idref="V-230526" selected="true" /><select idref="V-230527" selected="true" /><select idref="V-230529" selected="true" /><select idref="V-230530" selected="true" /><select idref="V-230531" selected="true" /><select idref="V-230532" selected="true" /><select idref="V-230533" selected="true" /><select idref="V-230534" selected="true" /><select idref="V-230535" selected="true" /><select idref="V-230536" selected="true" /><select idref="V-230537" selected="true" /><select idref="V-230538" selected="true" /><select idref="V-230539" selected="true" /><select idref="V-230540" selected="true" /><select idref="V-230541" selected="true" /><select idref="V-230542" selected="true" /><select idref="V-230543" selected="true" /><select idref="V-230544" selected="true" /><select idref="V-230545" selected="true" /><select idref="V-230546" selected="true" /><select idref="V-230547" selected="true" /><select idref="V-230548" selected="true" /><select idref="V-230549" selected="true" /><select idref="V-230550" selected="true" /><select idref="V-230551" selected="true" /><select idref="V-230552" selected="true" /><select idref="V-230553" selected="true" /><select idref="V-230554" selected="true" /><select idref="V-230555" selected="true" /><select idref="V-230556" selected="true" /><select idref="V-230557" selected="true" /><select idref="V-230558" selected="true" /><select idref="V-230559" selected="true" /><select idref="V-230560" selected="true" /><select idref="V-230561" selected="true" /><select idref="V-237640" selected="true" /><select idref="V-237641" selected="true" /><select idref="V-237642" selected="true" /><select idref="V-237643" selected="true" /><select idref="V-244519" selected="true" /><select idref="V-244521" selected="true" /><select idref="V-244522" selected="true" /><select idref="V-244523" selected="true" /><select idref="V-244524" selected="true" /><select idref="V-244525" selected="true" /><select idref="V-244526" selected="true" /><select idref="V-244527" selected="true" /><select idref="V-244528" selected="true" /><select idref="V-244529" selected="true" /><select idref="V-244530" selected="true" /><select idref="V-244531" selected="true" /><select idref="V-244532" selected="true" /><select idref="V-244533" selected="true" /><select idref="V-244534" selected="true" /><select idref="V-244535" selected="true" /><select idref="V-244536" selected="true" /><select idref="V-244537" selected="true" /><select idref="V-244538" selected="true" /><select idref="V-244539" selected="true" /><select idref="V-244540" selected="true" /><select idref="V-244541" selected="true" /><select idref="V-244542" selected="true" /><select idref="V-244543" selected="true" /><select idref="V-244544" selected="true" /><select idref="V-244545" selected="true" /><select idref="V-244546" selected="true" /><select idref="V-244547" selected="true" /><select idref="V-244548" selected="true" /><select idref="V-244549" selected="true" /><select idref="V-244550" selected="true" /><select idref="V-244551" selected="true" /><select idref="V-244552" selected="true" /><select idref="V-244553" selected="true" /><select idref="V-244554" selected="true" /><select idref="V-245540" selected="true" /><select idref="V-250315" selected="true" /><select idref="V-250316" selected="true" /><select idref="V-250317" selected="true" /><select idref="V-251706" selected="true" /><select idref="V-251707" selected="true" /><select idref="V-251708" selected="true" /><select idref="V-251709" selected="true" /><select idref="V-251710" selected="true" /><select idref="V-251711" selected="true" /><select idref="V-251712" selected="true" /><select idref="V-251713" selected="true" /><select idref="V-251714" selected="true" /><select idref="V-251715" selected="true" /><select idref="V-251716" selected="true" /><select idref="V-251717" selected="true" /><select idref="V-251718" selected="true" /></Profile><Group id="V-230221"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230221r743913_rule" weight="10.0" severity="high"><version>RHEL-08-010000</version><title>RHEL 8 must be a vendor-supported release.</title><description><VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
|
|
|
ff1465 |
|
|
|
ff1465 |
Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32865r567410_fix">Upgrade to a supported version of RHEL 8.</fixtext><fix id="F-32865r567410_fix" /><check system="C-32890r743912_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -80,13 +80,13 @@ $ sudo cat /proc/sys/crypto/fips_enabled
|
|
|
ff1465 |
|
|
|
ff1465 |
1
|
|
|
ff1465 |
|
|
|
ff1465 |
-If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.</check-content></check></Rule></Group><Group id="V-230224"><title>SRG-OS-000185-GPOS-00079</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230224r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010030</version><title>All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.</title><description><VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
|
|
|
ff1465 |
+If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.</check-content></check></Rule></Group><Group id="V-230224"><title>SRG-OS-000185-GPOS-00079</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230224r809268_rule" weight="10.0" severity="medium"><version>RHEL-08-010030</version><title>All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.</title><description><VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
|
|
|
ff1465 |
|
|
|
ff1465 |
Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
|
|
|
ff1465 |
|
|
|
ff1465 |
Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001199</ident><fixtext fixref="F-32868r567419_fix">Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.</fixtext><fix id="F-32868r567419_fix" /><check system="C-32893r567418_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.
|
|
|
ff1465 |
+Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.</fixtext><fix id="F-32868r567419_fix" /><check system="C-32893r809267_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.
|
|
|
ff1465 |
|
|
|
ff1465 |
If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -96,7 +96,7 @@ $ sudo blkid
|
|
|
ff1465 |
|
|
|
ff1465 |
/dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"
|
|
|
ff1465 |
|
|
|
ff1465 |
-Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that all local disk partitions are encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-230225"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230225r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010040</version><title>RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
|
|
ff1465 |
+Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-230225"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230225r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010040</version><title>RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
|
|
ff1465 |
|
|
|
ff1465 |
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -293,7 +293,7 @@ $ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
auth.*;authpriv.*;daemon.* /var/log/secure
|
|
|
ff1465 |
|
|
|
ff1465 |
-If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.</check-content></check></Rule></Group><Group id="V-230229"><title>SRG-OS-000066-GPOS-00034</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230229r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010090</version><title>RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.</title><description><VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
|
|
|
ff1465 |
+If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.</check-content></check></Rule></Group><Group id="V-230229"><title>SRG-OS-000066-GPOS-00034</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230229r809270_rule" weight="10.0" severity="medium"><version>RHEL-08-010090</version><title>RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.</title><description><VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
|
|
|
ff1465 |
|
|
|
ff1465 |
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -301,11 +301,11 @@ When there is a chain of trust, usually the top entity to be trusted becomes the
|
|
|
ff1465 |
|
|
|
ff1465 |
This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-32873r567434_fix">Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
|
|
|
ff1465 |
+Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-32873r809269_fix">Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into the following file:
|
|
|
ff1465 |
+Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:
|
|
|
ff1465 |
|
|
|
ff1465 |
-/etc/sssd/pki/sssd_auth_ca_db.pem</fixtext><fix id="F-32873r567434_fix" /><check system="C-32898r567433_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
|
|
|
ff1465 |
+/etc/sssd/pki/sssd_auth_ca_db.pem</fixtext><fix id="F-32873r809269_fix" /><check system="C-32898r567433_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
|
|
|
ff1465 |
|
|
|
ff1465 |
Check that the system has a valid DoD root CA installed with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -356,19 +356,19 @@ $ sudo cut -d: -f2 /etc/shadow
|
|
|
ff1465 |
|
|
|
ff1465 |
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
|
|
|
ff1465 |
|
|
|
ff1465 |
-Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.</check-content></check></Rule></Group><Group id="V-230233"><title>SRG-OS-000073-GPOS-00041</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230233r743919_rule" weight="10.0" severity="medium"><version>RHEL-08-010130</version><title>The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds.</title><description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
|
|
|
ff1465 |
+Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.</check-content></check></Rule></Group><Group id="V-230233"><title>SRG-OS-000073-GPOS-00041</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230233r809273_rule" weight="10.0" severity="medium"><version>RHEL-08-010130</version><title>The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.</title><description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-32877r743918_fix">Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
|
|
|
ff1465 |
+Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-32877r809272_fix">Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Edit/modify the following line in the "/etc/pam.d/password-auth" file and set "rounds" to a value no lower than "5000":
|
|
|
ff1465 |
+Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000":
|
|
|
ff1465 |
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-32877r743918_fix" /><check system="C-32902r743917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that a minimum number of hash rounds is configured by running the following command:
|
|
|
ff1465 |
+SHA_CRYPT_MIN_ROUNDS 5000</fixtext><fix id="F-32877r809272_fix" /><check system="C-32902r809271_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that a minimum number of hash rounds is configured by running the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep rounds /etc/pam.d/password-auth
|
|
|
ff1465 |
+$ sudo egrep "^SHA_CRYPT_" /etc/login.defs
|
|
|
ff1465 |
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000
|
|
|
ff1465 |
+If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.
|
|
|
ff1465 |
|
|
|
ff1465 |
-If "rounds" has a value below "5000", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230234"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230234r743922_rule" weight="10.0" severity="high"><version>RHEL-08-010140</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32878r743921_fix">Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
|
|
|
ff1465 |
+If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.</check-content></check></Rule></Group><Group id="V-230234"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230234r743922_rule" weight="10.0" severity="high"><version>RHEL-08-010140</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-32878r743921_fix">Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file.
|
|
|
ff1465 |
|
|
|
ff1465 |
Generate an encrypted grub2 password for the grub superusers account with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -404,21 +404,21 @@ $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service
|
|
|
ff1465 |
|
|
|
ff1465 |
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230237"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230237r743931_rule" weight="10.0" severity="medium"><version>RHEL-08-010160</version><title>The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|
|
ff1465 |
+If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230237"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230237r809276_rule" weight="10.0" severity="medium"><version>RHEL-08-010160</version><title>The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|
|
ff1465 |
|
|
|
ff1465 |
RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
|
|
|
ff1465 |
|
|
|
ff1465 |
-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-32881r743930_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|
|
ff1465 |
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-32881r809275_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|
|
ff1465 |
|
|
|
ff1465 |
Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so:
|
|
|
ff1465 |
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-32881r743930_fix" /><check system="C-32906r743929_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the pam_unix.so module is configured to use sha512.
|
|
|
ff1465 |
+password sufficient pam_unix.so sha512</fixtext><fix id="F-32881r809275_fix" /><check system="C-32906r809274_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the pam_unix.so module is configured to use sha512.
|
|
|
ff1465 |
|
|
|
ff1465 |
Check that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo grep password /etc/pam.d/password-auth | grep pam_unix
|
|
|
ff1465 |
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000
|
|
|
ff1465 |
+password sufficient pam_unix.so sha512
|
|
|
ff1465 |
|
|
|
ff1465 |
If "sha512" is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230238"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230238r646862_rule" weight="10.0" severity="medium"><version>RHEL-08-010161</version><title>RHEL 8 must prevent system daemons from using Kerberos for authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -661,25 +661,40 @@ $ sudo update-crypto-policies --show
|
|
|
ff1465 |
|
|
|
ff1465 |
FIPS
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.</check-content></check></Rule></Group><Group id="V-230255"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230255r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010294</version><title>The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-32899r567512_fix">Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-MinProtocol = TLSv1.2
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-A reboot is required for the changes to take effect.</fixtext><fix id="F-32899r567512_fix" /><check system="C-32924r567511_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-MinProtocol = TLSv1.2
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding.</check-content></check></Rule></Group><Group id="V-230256"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230256r792859_rule" weight="10.0" severity="medium"><version>RHEL-08-010295</version><title>The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|
|
ff1465 |
+If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.</check-content></check></Rule></Group><Group id="V-230255"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230255r809382_rule" weight="10.0" severity="medium"><version>RHEL-08-010294</version><title>The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-32899r809381_fix">Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:
|
|
|
ff1465 |
+MinProtocol = TLSv1.2
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:
|
|
|
ff1465 |
+TLS.MinProtocol = TLSv1.2
|
|
|
ff1465 |
+DTLS.MinProtocol = DTLSv1.2
|
|
|
ff1465 |
+A reboot is required for the changes to take effect.</fixtext><fix id="F-32899r809381_fix" /><check system="C-32924r809380_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+MinProtocol = TLSv1.2
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+TLS.MinProtocol = TLSv1.2
|
|
|
ff1465 |
+DTLS.MinProtocol = DTLSv1.2
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than DTLSv1.2, this is a finding.</check-content></check></Rule></Group><Group id="V-230256"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230256r792859_rule" weight="10.0" severity="medium"><version>RHEL-08-010295</version><title>The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|
|
ff1465 |
|
|
|
ff1465 |
Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -1077,23 +1092,23 @@ $ sudo yum list installed openssl-pkcs11
|
|
|
ff1465 |
|
|
|
ff1465 |
openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.</check-content></check></Rule></Group><Group id="V-230274"><title>SRG-OS-000375-GPOS-00160</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230274r743945_rule" weight="10.0" severity="medium"><version>RHEL-08-010400</version><title>RHEL 8 must implement certificate status checking for multifactor authentication.</title><description><VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
|
|
|
ff1465 |
+If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.</check-content></check></Rule></Group><Group id="V-230274"><title>SRG-OS-000375-GPOS-00160</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230274r809281_rule" weight="10.0" severity="medium"><version>RHEL-08-010400</version><title>RHEL 8 must implement certificate status checking for multifactor authentication.</title><description><VulnDiscussion>Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected.
|
|
|
ff1465 |
|
|
|
ff1465 |
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC.
|
|
|
ff1465 |
|
|
|
ff1465 |
RHEL 8 includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-32918r567569_fix">Configure the operating system to implement certificate status checking for multifactor authentication.
|
|
|
ff1465 |
+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-32918r809280_fix">Configure the operating system to implement certificate status checking for multifactor authentication.
|
|
|
ff1465 |
|
|
|
ff1465 |
Review the "/etc/sssd/sssd.conf" file to determine if the system is configured to prevent OCSP or certificate verification.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Add the following line to the "/etc/sssd/sssd.conf" file:
|
|
|
ff1465 |
+Add the following line to the [sssd] section of the "/etc/sssd/sssd.conf" file:
|
|
|
ff1465 |
|
|
|
ff1465 |
certificate_verification = ocsp_dgst=sha1
|
|
|
ff1465 |
|
|
|
ff1465 |
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo systemctl restart sssd.service</fixtext><fix id="F-32918r567569_fix" /><check system="C-32943r743944_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for multifactor authentication.
|
|
|
ff1465 |
+$ sudo systemctl restart sssd.service</fixtext><fix id="F-32918r809280_fix" /><check system="C-32943r743944_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for multifactor authentication.
|
|
|
ff1465 |
|
|
|
ff1465 |
Check to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -1455,23 +1470,7 @@ $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
|
|
|
ff1465 |
|
|
|
ff1465 |
PermitRootLogin no
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230297"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230297r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010560</version><title>The auditd service must be running in RHEL 8.</title><description><VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32941r567638_fix">Start the auditd service, and enable the auditd service with the following commands:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo systemctl start auditd.service
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo systemctl enable auditd.service</fixtext><fix id="F-32941r567638_fix" /><check system="C-32966r567637_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the audit service is enabled and active with the following commands:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo systemctl is-enabled auditd
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-enabled
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo systemctl is-active auditd
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-active
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the service is not "enabled" and "active" this is a finding.</check-content></check></Rule></Group><Group id="V-230298"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230298r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010561</version><title>The rsyslog service must be running in RHEL 8.</title><description><VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
|
|
|
ff1465 |
+If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230298"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230298r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-010561</version><title>The rsyslog service must be running in RHEL 8.</title><description><VulnDiscussion>Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.
|
|
|
ff1465 |
|
|
|
ff1465 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32942r567641_fix">Start the auditd service, and enable the rsyslog service with the following commands:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -2361,23 +2360,41 @@ $ sudo grep -i lock-command /etc/tmux.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
set -g lock-command vlock
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "lock-command" is not set in the global settings to call "vlock", this is a finding.</check-content></check></Rule></Group><Group id="V-230349"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230349r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020041</version><title>RHEL 8 must ensure session control is automatically started at shell initialization.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32993r567794_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following line to the end of the "/etc/bashrc" configuration file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-[ -n "$PS1" -a -z "$TMUX" ] && exec tmux
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-This setting will take effect at next logon.</fixtext><fix id="F-32993r567794_fix" /><check system="C-33018r567793_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -i tmux /etc/bashrc
|
|
|
ff1465 |
+If the "lock-command" is not set in the global settings to call "vlock", this is a finding.</check-content></check></Rule></Group><Group id="V-230349"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230349r810020_rule" weight="10.0" severity="medium"><version>RHEL-08-020041</version><title>RHEL 8 must ensure session control is automatically started at shell initialization.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-32993r809283_fix">Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory:
|
|
|
ff1465 |
|
|
|
ff1465 |
-[ -n "$PS1" -a -z "$TMUX" ] && exec tmux
|
|
|
ff1465 |
+If [ "$PS1" ]; then
|
|
|
ff1465 |
+parent=$(ps -o ppid= -p $$)
|
|
|
ff1465 |
+name=$(ps -o comm= -p $parent)
|
|
|
ff1465 |
+case "$name" in (sshd|login) exec tmux ;; esac
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
|
|
|
ff1465 |
-If "tmux" is not configured as the example above, is commented out, or missing from the "/etc/bashrc" initialization file, this is a finding.</check-content></check></Rule></Group><Group id="V-230350"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230350r627750_rule" weight="10.0" severity="low"><version>RHEL-08-020042</version><title>RHEL 8 must prevent users from disabling session control mechanisms.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|
|
ff1465 |
+This setting will take effect at next logon.</fixtext><fix id="F-32993r809283_fix" /><check system="C-33018r810019_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Determine if tmux is currently running:
|
|
|
ff1465 |
+$ sudo ps all | grep tmux | grep -v grep
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command does not produce output, this is a finding.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Determine the location of the tmux script:
|
|
|
ff1465 |
+$ sudo grep tmux /etc/bashrc/etc/profile.d/*
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Review the tmux script by using the following example:
|
|
|
ff1465 |
+$ sudo cat /etc/profile.d/tmux.sh
|
|
|
ff1465 |
+If [ "$PS1" ]; then
|
|
|
ff1465 |
+parent=$(ps -o ppid= -p $$)
|
|
|
ff1465 |
+name=$(ps -o comm= -p $parent)
|
|
|
ff1465 |
+case "$name" in (sshd|login) exec tmux ;; esac
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-230350"><title>SRG-OS-000028-GPOS-00009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230350r627750_rule" weight="10.0" severity="low"><version>RHEL-08-020042</version><title>RHEL 8 must prevent users from disabling session control mechanisms.</title><description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
|
|
|
ff1465 |
|
|
|
ff1465 |
The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -2520,31 +2537,23 @@ matchrule =<SAN>.*EDIPI@mil
|
|
|
ff1465 |
maprule = (userCertificate;binary={cert!bin})
|
|
|
ff1465 |
domains = testing.test
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.</check-content></check></Rule></Group><Group id="V-230356"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230356r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020100</version><title>RHEL 8 must ensure a password complexity module is enabled.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
-/etc/pam.d/password-auth
|
|
|
ff1465 |
-/etc/pam.d/system-auth
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Note the value of "retry" set in these configuration files should be between "1" and "3". Manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-33000r567815_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
|
|
|
ff1465 |
+If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.</check-content></check></Rule></Group><Group id="V-230356"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230356r809379_rule" weight="10.0" severity="medium"><version>RHEL-08-020100</version><title>RHEL 8 must ensure the password complexity module is enabled in the password-auth file.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33000r809286_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Add the following line to both "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" (or modify the line to have the required value):
|
|
|
ff1465 |
+Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value):
|
|
|
ff1465 |
|
|
|
ff1465 |
-password required pam_pwquality.so retry=3</fixtext><fix id="F-33000r567815_fix" /><check system="C-33025r567814_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system uses "pwquality" to enforce the password complexity rules.
|
|
|
ff1465 |
+password required pam_pwquality.so</fixtext><fix id="F-33000r809286_fix" /><check system="C-33025r809285_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system uses "pwquality" to enforce the password complexity rules.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Check for the use of "pwquality" with the following commands:
|
|
|
ff1465 |
+Check for the use of "pwquality" in the password-auth file with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo cat /etc/pam.d/password-auth | grep pam_pwquality
|
|
|
ff1465 |
|
|
|
ff1465 |
-password required pam_pwquality.so retry=3
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality
|
|
|
ff1465 |
+password required pam_pwquality.so
|
|
|
ff1465 |
|
|
|
ff1465 |
-password required pam_pwquality.so retry=3
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If both commands do not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-230357"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230357r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020110</version><title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
|
|
ff1465 |
+If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230357"><title>SRG-OS-000069-GPOS-00037</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230357r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020110</version><title>RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
|
|
ff1465 |
|
|
|
ff1465 |
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -2586,7 +2595,7 @@ $ sudo grep dcredit /etc/security/pwquality.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
dcredit = -1
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the value of "dcredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230360"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230360r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020140</version><title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
|
|
ff1465 |
+If the value of "dcredit" is a positive number or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230360"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230360r809289_rule" weight="10.0" severity="medium"><version>RHEL-08-020140</version><title>RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
|
|
ff1465 |
|
|
|
ff1465 |
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -2594,13 +2603,13 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The "
|
|
|
ff1465 |
|
|
|
ff1465 |
Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
|
|
|
ff1465 |
|
|
|
ff1465 |
-maxclassrepeat = 4</fixtext><fix id="F-33004r567827_fix" /><check system="C-33029r567826_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
|
|
|
ff1465 |
+maxclassrepeat = 4</fixtext><fix id="F-33004r567827_fix" /><check system="C-33029r809288_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo grep maxclassrepeat /etc/security/pwquality.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
maxclassrepeat = 4
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the value of "maxclassrepeat" is set to more than "4" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230361"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230361r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020150</version><title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
|
|
ff1465 |
+If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230361"><title>SRG-OS-000072-GPOS-00040</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230361r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020150</version><title>RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
|
|
|
ff1465 |
|
|
|
ff1465 |
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -2675,21 +2684,21 @@ $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow
|
|
|
ff1465 |
|
|
|
ff1465 |
-If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group><Group id="V-230368"><title>SRG-OS-000077-GPOS-00045</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230368r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-020220</version><title>RHEL 8 passwords must be prohibited from reuse for a minimum of five generations.</title><description><VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-RHEL 8 utilizes "pwquality" consecutively as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
-/etc/pam.d/password-auth
|
|
|
ff1465 |
-/etc/pam.d/system-auth.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000200</ident><fixtext fixref="F-33012r567851_fix">Configure the operating system to prohibit password reuse for a minimum of five generations.
|
|
|
ff1465 |
+If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group><Group id="V-230368"><title>SRG-OS-000077-GPOS-00045</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230368r810414_rule" weight="10.0" severity="medium"><version>RHEL-08-020220</version><title>RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.</title><description><VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000200</ident><fixtext fixref="F-33012r809291_fix">Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value):
|
|
|
ff1465 |
+Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value):
|
|
|
ff1465 |
|
|
|
ff1465 |
-password required pam_pwhistory.so use_authtok remember=5 retry=3</fixtext><fix id="F-33012r567851_fix" /><check system="C-33037r567850_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system prohibits password reuse for a minimum of five generations.
|
|
|
ff1465 |
+password required pam_pwhistory.so use_authtok remember=5 retry=3</fixtext><fix id="F-33012r809291_fix" /><check system="C-33037r809290_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured in the password-auth file to prohibit password reuse for a minimum of five generations.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:
|
|
|
ff1465 |
+Check for the value of the "remember" argument in "/etc/pam.d/password-auth" with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|
|
ff1465 |
+$ sudo grep -i remember /etc/pam.d/password-auth
|
|
|
ff1465 |
|
|
|
ff1465 |
password required pam_pwhistory.so use_authtok remember=5 retry=3
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -3065,23 +3074,7 @@ $ sudo grep disk_error_action /etc/audit/auditd.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
disk_error_action = HALT
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.</check-content></check></Rule></Group><Group id="V-230391"><title>SRG-OS-000047-GPOS-00023</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230391r743998_rule" weight="10.0" severity="medium"><version>RHEL-08-030050</version><title>The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.</title><description><VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When availability is an overriding concern, other approved actions in response to an audit failure are as follows:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000140</ident><fixtext fixref="F-33035r743997_fix">Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-max_log_file_action = syslog</fixtext><fix id="F-33035r743997_fix" /><check system="C-33060r567919_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Check which action RHEL 8 takes when the audit storage volume is full with the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep max_log_file_action /etc/audit/auditd.conf
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-max_log_file_action=syslog
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.</check-content></check></Rule></Group><Group id="V-230392"><title>SRG-OS-000047-GPOS-00023</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230392r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030060</version><title>The RHEL 8 audit system must take appropriate action when the audit storage volume is full.</title><description><VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
|
|
|
ff1465 |
+If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.</check-content></check></Rule></Group><Group id="V-230392"><title>SRG-OS-000047-GPOS-00023</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230392r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030060</version><title>The RHEL 8 audit system must take appropriate action when the audit storage volume is full.</title><description><VulnDiscussion>It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.
|
|
|
ff1465 |
|
|
|
ff1465 |
When availability is an overriding concern, other approved actions in response to an audit failure are as follows:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -3453,127 +3446,40 @@ $ sudo grep -w /usr/bin/su /etc/audit/audit.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230413"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230413r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030200</version><title>The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). "Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33057r567986_fix">Configure RHEL 8 to audit the execution of the "lremovexattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33057r567986_fix" /><check system="C-33082r567985_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "lremovexattr" system call, by running the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w lremovexattr /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230414"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230414r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030210</version><title>The RHEL 8 audit system must be configured to audit any usage of the removexattr system call.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). "Removexattr" is a system call that removes extended attributes.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33058r567989_fix">Configure RHEL 8 to audit the execution of the "removexattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33058r567989_fix" /><check system="C-33083r567988_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "removexattr" system call, by running the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w removexattr /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230415"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230415r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030220</version><title>The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). "Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33059r567992_fix">Configure RHEL 8 to audit the execution of the "lsetxattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33059r567992_fix" /><check system="C-33084r567991_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "lsetxattr" system call, by running the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w lsetxattr /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230416"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230416r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030230</version><title>The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The auid representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33060r567995_fix">Configure RHEL 8 to audit the execution of the "fsetxattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33060r567995_fix" /><check system="C-33085r567994_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "fsetxattr" system call, by running the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w fsetxattr /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230417"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230417r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030240</version><title>The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). "Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33061r567998_fix">Configure RHEL 8 to audit the execution of the "fremovexattr" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230413"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230413r810463_rule" weight="10.0" severity="medium"><version>RHEL-08-030200</version><title>The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Audit records can be generated from various components within the information system (e.g., module or policy filter).
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+"Setxattr" is a system call used to set an extended attribute value.
|
|
|
ff1465 |
+"Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.
|
|
|
ff1465 |
+"Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.
|
|
|
ff1465 |
+"Removexattr" is a system call that removes extended attributes.
|
|
|
ff1465 |
+"Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.
|
|
|
ff1465 |
+"Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33057r809294_fix">Configure RHEL 8 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33061r567998_fix" /><check system="C-33086r567997_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "fremovexattr" system call, by running the following command:
|
|
|
ff1465 |
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33057r809294_fix" /><check system="C-33082r809293_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep -w fremovexattr /etc/audit/audit.rules
|
|
|
ff1465 |
+$ sudo grep xattr /etc/audit/audit.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230418"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230418r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030250</version><title>Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230418"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230418r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030250</version><title>Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
|
|
|
ff1465 |
Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -3605,31 +3511,7 @@ $ sudo grep -w chcon /etc/audit/audit.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230420"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230420r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030270</version><title>The RHEL 8 audit system must be configured to audit any usage of the setxattr system call.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33064r568007_fix">Configure RHEL 8 to audit the execution of the "setxattr" system call, by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33064r568007_fix" /><check system="C-33089r619871_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify if RHEL 8 is configured to audit the execution of the "setxattr" system call, by running the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w setxattr /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230421"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230421r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030280</version><title>Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230421"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230421r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030280</version><title>Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
|
|
|
ff1465 |
Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -3903,115 +3785,52 @@ $ sudo grep -w newgrp /etc/audit/audit.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230438"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230438r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030360</version><title>Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" command is used to load a kernel module.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33082r568061_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33082r568061_fix" /><check system="C-33107r568060_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "init_module" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "init_module" /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230439"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230439r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030361</version><title>Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" command will rename the specified files by replacing the first occurrence of expression in their name by replacement.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33083r568064_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rename" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33083r568064_fix" /><check system="C-33108r568063_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "rename" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "rename" /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230440"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230440r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030362</version><title>Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "renameat" command renames a file, moving it between directories if required.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33084r568067_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "renameat" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33084r568067_fix" /><check system="C-33109r568066_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "renameat" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "renameat" /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230441"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230441r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030363</version><title>Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rmdir" command removes empty directories.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33085r568070_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rmdir" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33085r568070_fix" /><check system="C-33110r568069_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "rmdir" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "rmdir" /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230442"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230442r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030364</version><title>Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "unlink" command deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33086r568073_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "unlink" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33086r568073_fix" /><check system="C-33111r568072_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "unlink" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "unlink" /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230443"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230443r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030365</version><title>Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33087r568076_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "unlinkat" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33087r568076_fix" /><check system="C-33112r568075_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "unlinkat" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "unlinkat" /etc/audit/audit.rules
|
|
|
ff1465 |
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230438"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230438r810464_rule" weight="10.0" severity="medium"><version>RHEL-08-030360</version><title>Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33082r810448_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33082r810448_fix" /><check system="C-33107r810447_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "init_module" and "finit_module" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep init_module /etc/audit/audit.rules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command does not return an audit rule for "init_module" and "finit_module" or any of the lines returned are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230439"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230439r810465_rule" weight="10.0" severity="medium"><version>RHEL-08-030361</version><title>Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.
|
|
|
ff1465 |
+The "rmdir" system call removes empty directories.
|
|
|
ff1465 |
+The "renameat" system call renames a file, moving it between directories if required.
|
|
|
ff1465 |
+The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33083r809301_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230444"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230444r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030370</version><title>Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33083r809301_fix" /><check system="C-33108r810451_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep 'rename\|unlink\|rmdir' /etc/audit/audit.rules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230444"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230444r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030370</version><title>Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
|
|
|
ff1465 |
Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -4027,24 +3846,6 @@ $ sudo grep -w gpasswd /etc/audit/audit.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230445"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230445r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030380</version><title>Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "finit_module" command is used to load a kernel module.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33089r568082_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "finit_module" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33089r568082_fix" /><check system="C-33114r568081_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "finit_module" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w "finit_module" /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng
|
|
|
ff1465 |
-
|
|
|
ff1465 |
If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230446"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230446r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030390</version><title>Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
|
|
|
ff1465 |
Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module.
|
|
|
ff1465 |
@@ -4095,277 +3896,87 @@ $ sudo grep -w chsh /etc/audit/audit.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230449"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230449r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030420</version><title>Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33093r568094_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33093r568094_fix" /><check system="C-33118r568093_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "truncate" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -iw truncate /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230450"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230450r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030430</version><title>Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "openat" system call opens a file specified by a relative pathname.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33094r568097_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "openat" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33094r568097_fix" /><check system="C-33119r568096_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "openat" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -iw openat /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230451"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230451r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030440</version><title>Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "open system" call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open".
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33095r568100_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33095r568100_fix" /><check system="C-33120r568099_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "open" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -iw open /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230452"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230452r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030450</version><title>Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of openat into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33096r568103_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open_by_handle_at" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33096r568103_fix" /><check system="C-33121r568102_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "open_by_handle_at" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -iw open_by_handle_at /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230453"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230453r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030460</version><title>Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33097r568106_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ftruncate" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33097r568106_fix" /><check system="C-33122r568105_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ftruncate" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -iw ftruncate /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230454"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230454r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030470</version><title>Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "creat" system call is used to open and possibly create a file or device.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33098r568109_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "creat" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33098r568109_fix" /><check system="C-33123r568108_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "creat" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -iw creat /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return all lines, or the lines are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230455"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230455r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030480</version><title>Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33099r568112_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown" command by adding or updating the following line to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33099r568112_fix" /><check system="C-33124r568111_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chown" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w chown /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230456"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230456r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030490</version><title>Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" command changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33100r568115_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod" command by adding or updating the following line to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33100r568115_fix" /><check system="C-33125r568114_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chmod" command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w chmod /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230457"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230457r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030500</version><title>Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33101r568118_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lchown" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33101r568118_fix" /><check system="C-33126r568117_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "lchown" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w lchown /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230458"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230458r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030510</version><title>Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33102r568121_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchownat" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33102r568121_fix" /><check system="C-33127r568120_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchownat" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w fchownat /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230459"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230459r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030520</version><title>Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33103r568124_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchown" system call by adding or updating the following line to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33103r568124_fix" /><check system="C-33128r568123_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchown" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w fchown /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230460"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230460r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030530</version><title>Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33104r568127_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmodat" system call by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33104r568127_fix" /><check system="C-33129r568126_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchmodat" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep -w fchmodat /etc/audit/audit.rules
|
|
|
ff1465 |
-
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230461"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230461r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030540</version><title>Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Audit records can be generated from various components within the information system (e.g., module or policy filter). The "fchmod" system call is used to change permissions of a file.
|
|
|
ff1465 |
+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230449"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230449r810455_rule" weight="10.0" severity="medium"><version>RHEL-08-030420</version><title>Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The "creat" system call is used to open and possibly create a file or device.
|
|
|
ff1465 |
+The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open".
|
|
|
ff1465 |
+The "openat" system call opens a file specified by a relative pathname.
|
|
|
ff1465 |
+The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33093r809304_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
|
|
|
ff1465 |
|
|
|
ff1465 |
-When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33105r568130_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmod" system call by adding or updating the following line to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33093r809304_fix" /><check system="C-33118r810454_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
|
|
|
ff1465 |
+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.
|
|
|
ff1465 |
+If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230455"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230455r810459_rule" weight="10.0" severity="medium"><version>RHEL-08-030480</version><title>Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor.
|
|
|
ff1465 |
+The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor.
|
|
|
ff1465 |
+The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33099r809307_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls by adding or updating the following line to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
|
|
|
ff1465 |
-The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33105r568130_fix" /><check system="C-33130r568129_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "fchmod" system call by performing the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep -w fchmod /etc/audit/audit.rules
|
|
|
ff1465 |
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33099r809307_fix" /><check system="C-33124r810458_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat" and "lchown" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep chown /etc/audit/audit.rules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If audit rules are not defined for "chown", "fchown", "fchownat", and "lchown" or any of the lines returned are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230456"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230456r810462_rule" weight="10.0" severity="medium"><version>RHEL-08-030490</version><title>Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The "fchmod" system call is used to change permissions of a file.
|
|
|
ff1465 |
+The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-33100r809310_fix">Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" syscalls by adding or updating the following line to "/etc/audit/rules.d/audit.rules":
|
|
|
ff1465 |
|
|
|
ff1465 |
--a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
--a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230462"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230462r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030550</version><title>Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-33100r809310_fix" /><check system="C-33125r810461_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls by using the following command to check the file system rules in "/etc/audit/audit.rules":
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep chmod /etc/audit/audit.rules
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat", or any of the lines returned are commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-230462"><title>SRG-OS-000062-GPOS-00031</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230462r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030550</version><title>Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.</title><description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
|
|
|
ff1465 |
|
|
|
ff1465 |
Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -4714,17 +4325,17 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf
|
|
|
ff1465 |
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
|
|
|
ff1465 |
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
|
|
|
ff1465 |
|
|
|
ff1465 |
-If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.</check-content></check></Rule></Group><Group id="V-230476"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230476r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-030660</version><title>RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.</title><description><VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity.
|
|
|
ff1465 |
+If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.</check-content></check></Rule></Group><Group id="V-230476"><title>SRG-OS-000341-GPOS-00132</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230476r809313_rule" weight="10.0" severity="medium"><version>RHEL-08-030660</version><title>RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.</title><description><VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity.
|
|
|
ff1465 |
|
|
|
ff1465 |
The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001849</ident><fixtext fixref="F-33120r568175_fix">Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
|
|
|
ff1465 |
|
|
|
ff1465 |
If audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records.
|
|
|
ff1465 |
|
|
|
ff1465 |
-If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.</fixtext><fix id="F-33120r568175_fix" /><check system="C-33145r568174_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
|
|
|
ff1465 |
+If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.</fixtext><fix id="F-33120r568175_fix" /><check system="C-33145r809312_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
|
|
|
ff1465 |
|
|
|
ff1465 |
Determine to which partition the audit records are being written with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep log_file /etc/audit/auditd.conf
|
|
|
ff1465 |
+$ sudo grep -iw log_file /etc/audit/auditd.conf
|
|
|
ff1465 |
log_file = /var/log/audit/audit.log
|
|
|
ff1465 |
|
|
|
ff1465 |
Check the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command:
|
|
|
ff1465 |
@@ -5016,29 +4627,18 @@ $ sudo yum remove rsh-server</fixtext><fix id="F-33136r568223_fix" />
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo yum list installed rsh-server
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the rsh-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-230493"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230493r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040020</version><title>RHEL 8 must cover or disable the built-in or attached camera when not in use.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|
|
ff1465 |
+If the rsh-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-230493"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230493r809316_rule" weight="10.0" severity="medium"><version>RHEL-08-040020</version><title>RHEL 8 must cover or disable the built-in or attached camera when not in use.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|
|
ff1465 |
|
|
|
ff1465 |
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-33137r568226_fix">Configure the operating system to disable the built-in or attached camera when not in use.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-First determine the driver being used by the camera with the following command:
|
|
|
ff1465 |
+Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-33137r809315_fix">Configure the operating system to disable the built-in or attached camera when not in use.
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo dmesg | grep -i video
|
|
|
ff1465 |
+Build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example:
|
|
|
ff1465 |
|
|
|
ff1465 |
-[ 44.630131] ACPI: Video Device [VGA]
|
|
|
ff1465 |
-[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
|
|
|
ff1465 |
-[ 46.670133] videodev: Linux video capture interface: v2.00
|
|
|
ff1465 |
-[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
|
|
|
ff1465 |
-[ 47.235752] usbcore: registered new interface driver uvcvideo
|
|
|
ff1465 |
-[ 47.235756] USB Video Class driver (1.1.1)
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Next, build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-##Disable WebCam
|
|
|
ff1465 |
+install uvcvideo /bin/true
|
|
|
ff1465 |
blacklist uvcvideo
|
|
|
ff1465 |
|
|
|
ff1465 |
-Reboot the system for the settings to take effect.</fixtext><fix id="F-33137r568226_fix" /><check system="C-33162r568225_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>If the device or operating system does not have a camera installed, this requirement is not applicable.
|
|
|
ff1465 |
+Reboot the system for the settings to take effect.</fixtext><fix id="F-33137r809315_fix" /><check system="C-33162r809314_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>If the device or operating system does not have a camera installed, this requirement is not applicable.
|
|
|
ff1465 |
|
|
|
ff1465 |
This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -5050,24 +4650,21 @@ For a built-in camera, the camera must be protected by a camera cover (e.g., lap
|
|
|
ff1465 |
|
|
|
ff1465 |
If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
|
|
|
ff1465 |
|
|
|
ff1465 |
-Determine if the camera is disabled via blacklist with the following command:
|
|
|
ff1465 |
+Verify the operating system disables the ability to load the uvcvideo kernel module.
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep blacklist /etc/modprobe.d/*
|
|
|
ff1465 |
+$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"
|
|
|
ff1465 |
|
|
|
ff1465 |
-/etc/modprobe.d/blacklist.conf:blacklist uvcvideo
|
|
|
ff1465 |
+install uvcvideo /bin/true
|
|
|
ff1465 |
|
|
|
ff1465 |
-Determine if a camera driver is in use with the following command:
|
|
|
ff1465 |
+If the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo dmesg | grep -i video
|
|
|
ff1465 |
+Verify the camera is disabled via blacklist with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
-[ 44.630131] ACPI: Video Device [VGA]
|
|
|
ff1465 |
-[ 46.655714] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7
|
|
|
ff1465 |
-[ 46.670133] videodev: Linux video capture interface: v2.00
|
|
|
ff1465 |
-[ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)
|
|
|
ff1465 |
-[ 47.235752] usbcore: registered new interface driver uvcvideo
|
|
|
ff1465 |
-[ 47.235756] USB Video Class driver (1.1.1)
|
|
|
ff1465 |
+$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist"
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+blacklist uvcvideo
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the camera driver blacklist is missing, a camera driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.</check-content></check></Rule></Group><Group id="V-230494"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230494r792911_rule" weight="10.0" severity="low"><version>RHEL-08-040021</version><title>RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|
|
ff1465 |
+If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding.</check-content></check></Rule></Group><Group id="V-230494"><title>SRG-OS-000095-GPOS-00049</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230494r792911_rule" weight="10.0" severity="low"><version>RHEL-08-040021</version><title>RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.</title><description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
|
|
|
ff1465 |
|
|
|
ff1465 |
Failing to disconnect unused protocols can result in a system compromise.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -5270,25 +4867,16 @@ autofs.service - Automounts filesystems on demand
|
|
|
ff1465 |
Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
|
|
|
ff1465 |
Active: inactive (dead)
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230503"><title>SRG-OS-000114-GPOS-00059</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230503r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040080</version><title>RHEL 8 must be configured to disable USB mass storage.</title><description><VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
|
|
|
ff1465 |
+If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230503"><title>SRG-OS-000114-GPOS-00059</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230503r809319_rule" weight="10.0" severity="medium"><version>RHEL-08-040080</version><title>RHEL 8 must be configured to disable USB mass storage.</title><description><VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000778</ident><fixtext fixref="F-33147r568256_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
|
|
|
ff1465 |
+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000778</ident><fixtext fixref="F-33147r809318_fix">Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Create a file under "/etc/modprobe.d" with the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo touch /etc/modprobe.d/usb-storage.conf
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Add the following line to the created file:
|
|
|
ff1465 |
+Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
|
|
|
ff1465 |
|
|
|
ff1465 |
install usb-storage /bin/true
|
|
|
ff1465 |
+blacklist usb-storage
|
|
|
ff1465 |
|
|
|
ff1465 |
-Configure the operating system to disable the ability to use USB mass storage devices.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo vi /etc/modprobe.d/blacklist.conf
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Add or update the line:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-blacklist usb-storage</fixtext><fix id="F-33147r568256_fix" /><check system="C-33172r568255_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to load the USB Storage kernel module.
|
|
|
ff1465 |
+Reboot the system for the settings to take effect.</fixtext><fix id="F-33147r809318_fix" /><check system="C-33172r809317_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to load the USB Storage kernel module.
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true"
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -5304,19 +4892,28 @@ $ sudo grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"
|
|
|
ff1465 |
|
|
|
ff1465 |
blacklist usb-storage
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230504"><title>SRG-OS-000297-GPOS-00115</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230504r627750_rule" weight="10.0" severity="medium"><version>RHEL-08-040090</version><title>A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.</title><description><VulnDiscussion>Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.
|
|
|
ff1465 |
+If the command does not return any output or the output is not "blacklist usb-storage" and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-230504"><title>SRG-OS-000297-GPOS-00115</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230504r809321_rule" weight="10.0" severity="medium"><version>RHEL-08-040090</version><title>A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.</title><description><VulnDiscussion>Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.
|
|
|
ff1465 |
|
|
|
ff1465 |
-RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-33148r568259_fix">Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:
|
|
|
ff1465 |
+RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-33148r809320_fix">Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo firewall-cmd --permanent --new-zone=[custom]
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml
|
|
|
ff1465 |
|
|
|
ff1465 |
-This will provide a clean configuration file to work with that employs a deny-all approach. Next, add the exceptions that are required for mission functionality.
|
|
|
ff1465 |
+This will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.
|
|
|
ff1465 |
|
|
|
ff1465 |
+Reload the firewall rules to make the new [custom] zone available to load:
|
|
|
ff1465 |
+$ sudo firewall-cmd --reload
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Set the default zone to the new [custom] zone:
|
|
|
ff1465 |
$ sudo firewall-cmd --set-default-zone=[custom]
|
|
|
ff1465 |
|
|
|
ff1465 |
-Note: This is a runtime and permanent change.</fixtext><fix id="F-33148r568259_fix" /><check system="C-33173r568258_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:
|
|
|
ff1465 |
+Note: This is a runtime and permanent change.
|
|
|
ff1465 |
+Add any interfaces to the new [custom] zone:
|
|
|
ff1465 |
+$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Reload the firewall rules for changes to take effect:
|
|
|
ff1465 |
+$ sudo firewall-cmd --reload</fixtext><fix id="F-33148r809320_fix" /><check system="C-33173r568258_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo firewall-cmd --state
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6467,22 +6064,13 @@ $ sudo egrep "[+]?acl" /etc/aide.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
VarFile = OwnerMode+n+l+X+acl
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-230553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230553r646886_rule" weight="10.0" severity="medium"><version>RHEL-08-040320</version><title>The graphical display manager must not be installed on RHEL 8 unless approved.</title><description><VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33197r646885_fix">Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:
|
|
|
ff1465 |
+If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-230553"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-230553r809324_rule" weight="10.0" severity="medium"><version>RHEL-08-040320</version><title>The graphical display manager must not be installed on RHEL 8 unless approved.</title><description><VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-33197r809323_fix">Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:
|
|
|
ff1465 |
|
|
|
ff1465 |
Open an SSH session and enter the following commands:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo systemctl set-default multi-user.target
|
|
|
ff1465 |
-
|
|
|
ff1465 |
$ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
|
|
ff1465 |
|
|
|
ff1465 |
-A reboot is required for the changes to take effect.</fixtext><fix id="F-33197r646885_fix" /><check system="C-33222r646884_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the system is configured to boot to the command line:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ systemctl get-default
|
|
|
ff1465 |
-multi-user.target
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Verify that a graphical user interface is not installed:
|
|
|
ff1465 |
+A reboot is required for the changes to take effect.</fixtext><fix id="F-33197r809323_fix" /><check system="C-33222r809322_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that a graphical user interface is not installed:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ rpm -qa | grep xorg | grep server
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6610,11 +6198,11 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/*
|
|
|
ff1465 |
|
|
|
ff1465 |
If the either of the following entries are returned, this is a finding:
|
|
|
ff1465 |
ALL ALL=(ALL) ALL
|
|
|
ff1465 |
-ALL ALL=(ALL:ALL) ALL</check-content></check></Rule></Group><Group id="V-237642"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237642r646896_rule" weight="10.0" severity="medium"><version>RHEL-08-010383</version><title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title><description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
|
|
|
ff1465 |
+ALL ALL=(ALL:ALL) ALL</check-content></check></Rule></Group><Group id="V-237642"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237642r809326_rule" weight="10.0" severity="medium"><version>RHEL-08-010383</version><title>RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".</title><description><VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.
|
|
|
ff1465 |
For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002227</ident><fixtext fixref="F-40824r646895_fix">Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
|
|
|
ff1465 |
Defaults !targetpw
|
|
|
ff1465 |
Defaults !rootpw
|
|
|
ff1465 |
-Defaults !runaspw</fixtext><fix id="F-40824r646895_fix" /><check system="C-40861r646894_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
|
|
|
ff1465 |
+Defaults !runaspw</fixtext><fix id="F-40824r646895_fix" /><check system="C-40861r809325_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6622,10 +6210,11 @@ $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | g
|
|
|
ff1465 |
/etc/sudoers:Defaults !rootpw
|
|
|
ff1465 |
/etc/sudoers:Defaults !runaspw
|
|
|
ff1465 |
|
|
|
ff1465 |
-If no results are returned, this is a finding
|
|
|
ff1465 |
+If no results are returned, this is a finding.
|
|
|
ff1465 |
+If results are returned from more than one file location, this is a finding.
|
|
|
ff1465 |
If "Defaults !targetpw" is not defined, this is a finding.
|
|
|
ff1465 |
If "Defaults !rootpw" is not defined, this is a finding.
|
|
|
ff1465 |
-If "Defaults !runaspw" is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-237643"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237643r792980_rule" weight="10.0" severity="medium"><version>RHEL-08-010384</version><title>RHEL 8 must require re-authentication when using the "sudo" command.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
|
|
ff1465 |
+If "Defaults !runaspw" is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-237643"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-237643r809328_rule" weight="10.0" severity="medium"><version>RHEL-08-010384</version><title>RHEL 8 must require re-authentication when using the "sudo" command.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
|
|
ff1465 |
|
|
|
ff1465 |
When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6635,11 +6224,13 @@ $ sudo visudo
|
|
|
ff1465 |
|
|
|
ff1465 |
Add or modify the following line:
|
|
|
ff1465 |
Defaults timestamp_timeout=[value]
|
|
|
ff1465 |
-Note: The "[value]" must be a number that is greater than or equal to "0".</fixtext><fix id="F-40825r646898_fix" /><check system="C-40862r792979_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
|
|
|
ff1465 |
+Note: The "[value]" must be a number that is greater than or equal to "0".</fixtext><fix id="F-40825r646898_fix" /><check system="C-40862r809327_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges.
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/*
|
|
|
ff1465 |
/etc/sudoers:Defaults timestamp_timeout=0
|
|
|
ff1465 |
|
|
|
ff1465 |
+If results are returned from more than one file location, this is a finding.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-244519"><title>SRG-OS-000023-GPOS-00006</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244519r743806_rule" weight="10.0" severity="medium"><version>RHEL-08-010049</version><title>RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.</title><description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
|
|
ff1465 |
|
|
|
ff1465 |
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
|
|
|
ff1465 |
@@ -6670,19 +6261,7 @@ $ sudo grep banner-message-enable /etc/dconf/db/local.d/*
|
|
|
ff1465 |
|
|
|
ff1465 |
banner-message-enable=true
|
|
|
ff1465 |
|
|
|
ff1465 |
-If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-244520"><title>SRG-OS-000073-GPOS-00041</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244520r743809_rule" weight="10.0" severity="medium"><version>RHEL-08-010131</version><title>The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds.</title><description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-47752r743808_fix">Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Edit/modify the following line in the "etc/pam.d/system-auth" file and set "rounds" to a value no lower than "5000":
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-47752r743808_fix" /><check system="C-47795r743807_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check that a minimum number of hash rounds is configured by running the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-$ sudo grep rounds /etc/pam.d/system-auth
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If "rounds" has a value below "5000", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244521"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244521r792982_rule" weight="10.0" severity="medium"><version>RHEL-08-010141</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
|
|
|
ff1465 |
+If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-244521"><title>SRG-OS-000080-GPOS-00048</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244521r792982_rule" weight="10.0" severity="medium"><version>RHEL-08-010141</version><title>RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.</title><description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
|
|
|
ff1465 |
|
|
|
ff1465 |
The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-47753r743811_fix">Configure the system to have a unique name for the grub superusers account.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6730,21 +6309,21 @@ $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service
|
|
|
ff1465 |
|
|
|
ff1465 |
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-244524"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244524r743821_rule" weight="10.0" severity="medium"><version>RHEL-08-010159</version><title>The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|
|
ff1465 |
+If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-244524"><title>SRG-OS-000120-GPOS-00061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244524r809331_rule" weight="10.0" severity="medium"><version>RHEL-08-010159</version><title>The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.</title><description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
|
|
|
ff1465 |
|
|
|
ff1465 |
RHEL 8 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
|
|
|
ff1465 |
|
|
|
ff1465 |
-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-47756r743820_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|
|
ff1465 |
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-47756r809330_fix">Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
|
|
|
ff1465 |
|
|
|
ff1465 |
Edit/modify the following line in the "/etc/pam.d/system-auth" file to include the sha512 option for pam_unix.so:
|
|
|
ff1465 |
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000</fixtext><fix id="F-47756r743820_fix" /><check system="C-47799r743819_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that pam_unix.so module is configured to use sha512.
|
|
|
ff1465 |
+password sufficient pam_unix.so sha512</fixtext><fix id="F-47756r809330_fix" /><check system="C-47799r809329_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that pam_unix.so module is configured to use sha512.
|
|
|
ff1465 |
|
|
|
ff1465 |
Check that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo grep password /etc/pam.d/system-auth | grep pam_unix
|
|
|
ff1465 |
|
|
|
ff1465 |
-password sufficient pam_unix.so sha512 rounds=5000
|
|
|
ff1465 |
+password sufficient pam_unix.so sha512
|
|
|
ff1465 |
|
|
|
ff1465 |
If "sha512" is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244525"><title>SRG-OS-000163-GPOS-00072</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244525r743824_rule" weight="10.0" severity="medium"><version>RHEL-08-010201</version><title>The RHEL 8 SSH daemon must be configured with a timeout interval.</title><description><VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6769,7 +6348,7 @@ $ sudo grep -i clientalive /etc/ssh/sshd_config
|
|
|
ff1465 |
ClientAliveInterval 600
|
|
|
ff1465 |
ClientAliveCountMax 0
|
|
|
ff1465 |
|
|
|
ff1465 |
-If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244526"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244526r743827_rule" weight="10.0" severity="medium"><version>RHEL-08-010287</version><title>The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|
|
ff1465 |
+If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-244526"><title>SRG-OS-000250-GPOS-00093</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244526r809334_rule" weight="10.0" severity="medium"><version>RHEL-08-010287</version><title>The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.</title><description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
|
|
|
ff1465 |
|
|
|
ff1465 |
Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6777,17 +6356,17 @@ Cryptographic mechanisms used for protecting the integrity of information includ
|
|
|
ff1465 |
|
|
|
ff1465 |
RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-47758r743826_fix">Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:
|
|
|
ff1465 |
+Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-47758r809333_fix">Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:
|
|
|
ff1465 |
|
|
|
ff1465 |
-# crypto_policy=
|
|
|
ff1465 |
+# CRYPTO_POLICY=
|
|
|
ff1465 |
|
|
|
ff1465 |
-A reboot is required for the changes to take effect.</fixtext><fix id="F-47758r743826_fix" /><check system="C-47801r743825_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that system-wide crypto policies are in effect:
|
|
|
ff1465 |
+A reboot is required for the changes to take effect.</fixtext><fix id="F-47758r809333_fix" /><check system="C-47801r809332_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that system-wide crypto policies are in effect:
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo grep -i crypto_policy /etc/sysconfig/sshd
|
|
|
ff1465 |
+$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd
|
|
|
ff1465 |
|
|
|
ff1465 |
-# crypto_policy=
|
|
|
ff1465 |
+# CRYPTO_POLICY=
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the "crypto_policy" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-244527"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244527r743830_rule" weight="10.0" severity="low"><version>RHEL-08-010472</version><title>RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.</title><description><VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
|
|
|
ff1465 |
+If the "CRYPTO_POLICY " is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-244527"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244527r743830_rule" weight="10.0" severity="low"><version>RHEL-08-010472</version><title>RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.</title><description><VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
|
|
|
ff1465 |
|
|
|
ff1465 |
The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47759r743829_fix">Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -6819,13 +6398,13 @@ $ sudo grep /var/tmp /etc/fstab
|
|
|
ff1465 |
|
|
|
ff1465 |
UUID=c274f65f /var/tmp xfs noatime,nobarrier 1 2
|
|
|
ff1465 |
|
|
|
ff1465 |
-If a separate entry for "/var/tmp" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-244530"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244530r743839_rule" weight="10.0" severity="medium"><version>RHEL-08-010572</version><title>RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.</title><description><VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47762r743838_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.</fixtext><fix id="F-47762r743838_fix" /><check system="C-47805r743837_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|
|
ff1465 |
+If a separate entry for "/var/tmp" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-244530"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244530r809336_rule" weight="10.0" severity="medium"><version>RHEL-08-010572</version><title>RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.</title><description><VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47762r743838_fix">Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.</fixtext><fix id="F-47762r743838_fix" /><check system="C-47805r809335_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
|
|
|
ff1465 |
|
|
|
ff1465 |
Verify the /boot/efi directory is mounted with the "nosuid" option with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo mount | grep '\s/boot/efi\s'
|
|
|
ff1465 |
|
|
|
ff1465 |
-/dev/sda1 on /boot/efi type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)
|
|
|
ff1465 |
+/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
|
|
|
ff1465 |
|
|
|
ff1465 |
If the /boot/efi file system does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-244531"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244531r743842_rule" weight="10.0" severity="medium"><version>RHEL-08-010731</version><title>All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.</title><description><VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-47763r743841_fix">Set the mode on files and directories in the local interactive user home directory with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -7114,7 +6693,7 @@ fapolicyd.service - File Access Policy Daemon
|
|
|
ff1465 |
Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
|
|
|
ff1465 |
Active: active (running)
|
|
|
ff1465 |
|
|
|
ff1465 |
-If fapolicyd is not enabled and running, this is a finding.</check-content></check></Rule></Group><Group id="V-244546"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244546r743887_rule" weight="10.0" severity="medium"><version>RHEL-08-040137</version><title>The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
|
|
ff1465 |
+If fapolicyd is not enabled and running, this is a finding.</check-content></check></Rule></Group><Group id="V-244546"><title>SRG-OS-000368-GPOS-00154</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244546r809339_rule" weight="10.0" severity="medium"><version>RHEL-08-040137</version><title>The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.</title><description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.
|
|
|
ff1465 |
|
|
|
ff1465 |
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -7124,11 +6703,7 @@ RHEL 8 ships with many optional packages. One such package is a file access poli
|
|
|
ff1465 |
|
|
|
ff1465 |
Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
|
|
|
ff1465 |
|
|
|
ff1465 |
-Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-47778r743886_fix">Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd" using the following command:
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-Note: Running this command requires a root shell
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-# mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts
|
|
|
ff1465 |
+Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-47778r809338_fix">Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd".
|
|
|
ff1465 |
|
|
|
ff1465 |
With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -7138,7 +6713,7 @@ Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the la
|
|
|
ff1465 |
|
|
|
ff1465 |
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
|
|
|
ff1465 |
|
|
|
ff1465 |
-permissive = 0</fixtext><fix id="F-47778r743886_fix" /><check system="C-47821r743885_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy.
|
|
|
ff1465 |
+permissive = 0</fixtext><fix id="F-47778r809338_fix" /><check system="C-47821r809337_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy.
|
|
|
ff1465 |
|
|
|
ff1465 |
Check that "fapolicyd" is in enforcement mode with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -7146,7 +6721,7 @@ $ sudo grep permissive /etc/fapolicyd/fapolicyd.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
permissive = 0
|
|
|
ff1465 |
|
|
|
ff1465 |
-Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
|
|
|
ff1465 |
+Check that fapolicyd employs a deny-all policy on system mounts with the following command:
|
|
|
ff1465 |
|
|
|
ff1465 |
$ sudo tail /etc/fapolicyd/fapolicyd.rules
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -7154,18 +6729,7 @@ allow exe=/usr/bin/python3.7 : ftype=text/x-python
|
|
|
ff1465 |
deny_audit perm=any pattern=ld_so : all
|
|
|
ff1465 |
deny perm=any all : all
|
|
|
ff1465 |
|
|
|
ff1465 |
-$ sudo cat /etc/fapolicyd/fapolicyd.mounts
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-/dev/shm
|
|
|
ff1465 |
-/run
|
|
|
ff1465 |
-/sys/fs/cgroup
|
|
|
ff1465 |
-/
|
|
|
ff1465 |
-/home
|
|
|
ff1465 |
-/boot
|
|
|
ff1465 |
-/run/user/42
|
|
|
ff1465 |
-/run/user/1000
|
|
|
ff1465 |
-
|
|
|
ff1465 |
-If fapolicyd is not running in enforcement mode on all system mounts with a deny-all, permit-by-exception policy, this is a finding.</check-content></check></Rule></Group><Group id="V-244547"><title>SRG-OS-000378-GPOS-00163</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244547r743890_rule" weight="10.0" severity="medium"><version>RHEL-08-040139</version><title>RHEL 8 must have the USBGuard installed.</title><description><VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
|
|
|
ff1465 |
+If fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.</check-content></check></Rule></Group><Group id="V-244547"><title>SRG-OS-000378-GPOS-00163</title><description><GroupDescription></GroupDescription></description><Rule id="SV-244547r743890_rule" weight="10.0" severity="medium"><version>RHEL-08-040139</version><title>RHEL 8 must have the USBGuard installed.</title><description><VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
|
|
|
ff1465 |
Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.
|
|
|
ff1465 |
A new feature that RHEL 8 provides is the USBGuard software framework. The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in the usbguard-rules.conf file. The policy and the authorization state of USB devices can be modified during runtime using the usbguard tool.
|
|
|
ff1465 |
|
|
|
ff1465 |
@@ -7511,4 +7075,201 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /etc/sysctl.d/*.conf
|
|
|
ff1465 |
|
|
|
ff1465 |
If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding.
|
|
|
ff1465 |
|
|
|
ff1465 |
-If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group></Benchmark>
|
|
|
ff1465 |
\ No newline at end of file
|
|
|
ff1465 |
+If the configuration file does not begin with "99-", this is a finding.</check-content></check></Rule></Group><Group id="V-251706"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251706r809342_rule" weight="10.0" severity="high"><version>RHEL-08-010121</version><title>The RHEL 8 operating system must not have accounts configured with blank or null passwords.</title><description><VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55097r809341_fix">Configure all accounts on the system to have a password or lock the account with the following commands:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Perform a password reset:
|
|
|
ff1465 |
+$ sudo passwd [username]
|
|
|
ff1465 |
+Lock an account:
|
|
|
ff1465 |
+$ sudo passwd -l [username]</fixtext><fix id="F-55097r809341_fix" /><check system="C-55143r809340_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Check the "/etc/shadow" file for blank passwords with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo awk -F: '!$2 {print $1}' /etc/shadow
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command returns any results, this is a finding.</check-content></check></Rule></Group><Group id="V-251707"><title>SRG-OS-000259-GPOS-00100</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251707r809345_rule" weight="10.0" severity="medium"><version>RHEL-08-010331</version><title>RHEL 8 library directories must have mode 755 or less permissive.</title><description><VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001499</ident><fixtext fixref="F-55098r809344_fix">Configure the library directories to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo chmod 755 [DIRECTORY]</fixtext><fix id="F-55098r809344_fix" /><check system="C-55144r809343_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the system-wide shared library directories within "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \;
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If any system-wide shared library directories are found to be group-writable or world-writable, this is a finding.</check-content></check></Rule></Group><Group id="V-251708"><title>SRG-OS-000259-GPOS-00100</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251708r810012_rule" weight="10.0" severity="medium"><version>RHEL-08-010341</version><title>RHEL 8 library directories must be owned by root.</title><description><VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001499</ident><fixtext fixref="F-55099r809347_fix">Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root".
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo chown root [DIRECTORY]</fixtext><fix id="F-55099r809347_fix" /><check system="C-55145r810011_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the system-wide shared library directories are owned by "root" with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If any system-wide shared library directory is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-251709"><title>SRG-OS-000259-GPOS-00100</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251709r810014_rule" weight="10.0" severity="medium"><version>RHEL-08-010351</version><title>RHEL 8 library directories must be group-owned by root or a system account.</title><description><VulnDiscussion>If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+This requirement applies to RHEL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001499</ident><fixtext fixref="F-55100r809350_fix">Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root".
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo chgrp root [DIRECTORY]</fixtext><fix id="F-55100r809350_fix" /><check system="C-55146r810013_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the system-wide shared library directories are group-owned by "root" with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \;
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.</check-content></check></Rule></Group><Group id="V-251710"><title>SRG-OS-000445-GPOS-00199</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251710r809354_rule" weight="10.0" severity="medium"><version>RHEL-08-010359</version><title>The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.</title><description><VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+This requirement applies to the RHEL 8 operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002696</ident><fixtext fixref="F-55101r809353_fix">Install the AIDE package by running the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo yum install aide</fixtext><fix id="F-55101r809353_fix" /><check system="C-55147r809352_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check that the AIDE package is installed with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo rpm -q aide
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+aide-0.16-14.el8.x86_64
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If there is no application installed to perform integrity checks, this is a finding.</check-content></check></Rule></Group><Group id="V-251711"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251711r810015_rule" weight="10.0" severity="medium"><version>RHEL-08-010379</version><title>RHEL 8 must specify the default "include" directory for the /etc/sudoers file.</title><description><VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55102r809356_fix">Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Edit the /etc/sudoers file with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo visudo
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Add or modify the following line:
|
|
|
ff1465 |
+#includedir /etc/sudoers.d</fixtext><fix id="F-55102r809356_fix" /><check system="C-55148r809355_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep include /etc/sudoers
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+#includedir /etc/sudoers.d
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep include /etc/sudoers.d/*
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-251712"><title>SRG-OS-000373-GPOS-00156</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251712r810017_rule" weight="10.0" severity="medium"><version>RHEL-08-010385</version><title>The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.</title><description><VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-55103r810016_fix">Configure the operating system to require users to supply a password for privilege escalation.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check the configuration of the "/etc/ pam.d/sudo" file with the following command:
|
|
|
ff1465 |
+$ sudo vi /etc/pam.d/sudo
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Remove any occurrences of "pam_succeed_if" in the file.</fixtext><fix id="F-55103r810016_fix" /><check system="C-55149r809358_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is not be configured to bypass password requirements for privilege escalation.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check the configuration of the "/etc/pam.d/sudo" file with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep pam_succeed_if /etc/pam.d/sudo
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.</check-content></check></Rule></Group><Group id="V-251713"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251713r810407_rule" weight="10.0" severity="medium"><version>RHEL-08-020101</version><title>RHEL 8 must ensure the password complexity module is enabled in the system-auth file.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55104r810406_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Add the following line to the "/etc/pam.d/system-auth" file(or modify the line to have the required value):
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwquality.so</fixtext><fix id="F-55104r810406_fix" /><check system="C-55150r810405_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system uses "pwquality" to enforce the password complexity rules.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check for the use of "pwquality" in the system-auth file with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwquality.so
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-251714"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251714r810410_rule" weight="10.0" severity="medium"><version>RHEL-08-020102</version><title>RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55105r810408_fix">Configure the operating system to limit the "pwquality" retry option to 3.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value):
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwquality.so retry=3</fixtext><fix id="F-55105r810408_fix" /><check system="C-55151r810409_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Verify the operating system is configured to limit the "pwquality" retry option to 3.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check for the use of the "pwquality" retry option in the system-auth file with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo cat /etc/pam.d/system-auth | grep pam_pwquality
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwquality.so retry=3
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-251715"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251715r810412_rule" weight="10.0" severity="medium"><version>RHEL-08-020103</version><title>RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55106r810411_fix">Configure the operating system to limit the "pwquality" retry option to 3.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value):
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwquality.so retry=3</fixtext><fix id="F-55106r810411_fix" /><check system="C-55152r809367_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Verify the operating system is configured to limit the "pwquality" retry option to 3.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check for the use of the "pwquality" retry option in the password-auth file with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo cat /etc/pam.d/password-auth | grep pam_pwquality
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwquality.so retry=3
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-251716"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251716r809372_rule" weight="10.0" severity="medium"><version>RHEL-08-020104</version><title>RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.</title><description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth
|
|
|
ff1465 |
+By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55107r809371_fix">Configure the operating system to limit the "pwquality" retry option to 3.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value):
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+retry = 3</fixtext><fix id="F-55107r809371_fix" /><check system="C-55153r809370_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Verify the operating system is configured to limit the "pwquality" retry option to 3.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check for the use of the "pwquality" retry option with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep retry /etc/security/pwquality.conf
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+retry = 3
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the command returns any results, this is a finding.</check-content></check></Rule></Group><Group id="V-251717"><title>SRG-OS-000077-GPOS-00045</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251717r810415_rule" weight="10.0" severity="medium"><version>RHEL-08-020221</version><title>RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.</title><description><VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+RHEL 8 uses "pwhistory" consecutively as a mechanism to prohibit password reuse. This is set in both:
|
|
|
ff1465 |
+/etc/pam.d/password-auth
|
|
|
ff1465 |
+/etc/pam.d/system-auth.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Note that manual changes to the listed files may be overwritten by the "authselect" program.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000200</ident><fixtext fixref="F-55108r809374_fix">Configure the operating system in the system-auth file to prohibit password reuse for a minimum of five generations.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Add the following line in "/etc/pam.d/system-auth" (or modify the line to have the required value):
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwhistory.so use_authtok remember=5 retry=3</fixtext><fix id="F-55108r809374_fix" /><check system="C-55154r809373_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify the operating system is configured in the system-auth file to prohibit password reuse for a minimum of five generations.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Check for the value of the "remember" argument in "/etc/pam.d/password-auth" with the following command:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo grep -i remember /etc/pam.d/password-auth
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+password required pam_pwhistory.so use_authtok remember=5 retry=3
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-251718"><title>SRG-OS-000480-GPOS-00227</title><description><GroupDescription></GroupDescription></description><Rule id="SV-251718r809378_rule" weight="10.0" severity="medium"><version>RHEL-08-040321</version><title>The graphical display manager must not be the default target on RHEL 8 unless approved.</title><description><VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 8</dc:subject><dc:identifier>2921</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-55109r809377_fix">Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+Open an SSH session and enter the following commands:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ sudo systemctl set-default multi-user.target
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+A reboot is required for the changes to take effect.</fixtext><fix id="F-55109r809377_fix" /><check system="C-55155r809376_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" /><check-content>Verify that the system is configured to boot to the command line:
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+$ systemctl get-default
|
|
|
ff1465 |
+multi-user.target
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.</check-content></check></Rule></Group></Benchmark>
|
|
|
ff1465 |
\ No newline at end of file
|
|
|
ff1465 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
ff1465 |
index c2522c9..b9eeff5 100644
|
|
|
ff1465 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
ff1465 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
ff1465 |
@@ -1,6 +1,6 @@
|
|
|
ff1465 |
description: 'This profile contains configuration checks that align to the
|
|
|
ff1465 |
|
|
|
ff1465 |
- DISA STIG for Red Hat Enterprise Linux 8 V1R3.
|
|
|
ff1465 |
+ DISA STIG for Red Hat Enterprise Linux 8 V1R5.
|
|
|
ff1465 |
|
|
|
ff1465 |
|
|
|
ff1465 |
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
|
|
ff1465 |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
ff1465 |
index 95d87fd..54bf46d 100644
|
|
|
ff1465 |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
ff1465 |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
ff1465 |
@@ -1,6 +1,6 @@
|
|
|
ff1465 |
description: 'This profile contains configuration checks that align to the
|
|
|
ff1465 |
|
|
|
ff1465 |
- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R3.
|
|
|
ff1465 |
+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R5.
|
|
|
ff1465 |
|
|
|
ff1465 |
|
|
|
ff1465 |
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|