From 147ad40e23d8bd1c839baa001105c659e732c7cd Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 15:30:47 +0200
Subject: [PATCH 1/4] Fix severity of RHEL 7 STIG rules.
---
rhel7/profiles/stig.profile | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index b820d30608..57e88de210 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -104,6 +104,7 @@ selections:
- grub2_password
- require_singleuser_auth
- grub2_uefi_password
+ - grub2_uefi_password.severity=high
- smartcard_auth
- package_rsh-server_removed
- package_ypserv_removed
@@ -157,6 +158,7 @@ selections:
- grub2_enable_fips_mode
- aide_verify_acls
- aide_verify_ext_attributes
+ - aide_verify_ext_attributes.severity=low
- aide_use_fips_hashes
- grub2_no_removeable_media
- uefi_no_removeable_media
@@ -297,6 +299,9 @@ selections:
- sysctl_net_ipv4_conf_all_accept_redirects
- wireless_disable_interfaces
- mount_option_dev_shm_nodev
+ - mount_option_dev_shm_nodev.severity=low
- mount_option_dev_shm_noexec
+ - mount_option_dev_shm_noexec.severity=low
- mount_option_dev_shm_nosuid
+ - mount_option_dev_shm_nosuid.severity=low
- audit_rules_privileged_commands_mount
From 1e6ae626c138106ec8884f0863b09d0e628ae68f Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 15:44:44 +0200
Subject: [PATCH 2/4] Revert severity of some rules and refine on a profile
basis.
These rules had been previously severity mappings from NIST 800-53 and
we should keep them as they were and refine as needed on the profile
level.
---
.../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml | 2 +-
.../accounts-session/accounts_logon_fail_delay/rule.yml | 2 +-
rhel7/profiles/stig.profile | 2 ++
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index 95e11e5787..2ead6f7896 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
Removing the <tt>vsftpd</tt> package decreases the risk of its
accidental activation.
-severity: high
+severity: low
identifiers:
cce@rhel6: CCE-26687-4
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 08f81100f4..bb7c17108a 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -11,7 +11,7 @@ rationale: |-
Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack.
-severity: medium
+severity: low
identifiers:
cce@rhel7: CCE-80352-8
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 57e88de210..f3f94a66ba 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -97,6 +97,7 @@ selections:
- sudo_remove_nopasswd
- sudo_remove_no_authenticate
- accounts_logon_fail_delay
+ - accounts_logon_fail_delay.severity=medium
- gnome_gdm_disable_automatic_login
- gnome_gdm_disable_guest_login
- sshd_do_not_permit_user_env
@@ -274,6 +275,7 @@ selections:
- network_sniffer_disabled
- postfix_prevent_unrestricted_relay
- package_vsftpd_removed
+ - package_vsftpd_removed.severity=high
- package_tftp-server_removed
- sshd_enable_x11_forwarding
- tftpd_uses_secure_mode
From 4dcb7e0cfe8a59f7490e4eb4da18acc3a96e06a5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 2 Oct 2020 17:18:19 +0200
Subject: [PATCH 3/4] Revert to previous severity since what's in the STIG
takes precedence.
---
.../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml | 2 +-
.../accounts-session/accounts_logon_fail_delay/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index 2ead6f7896..95e11e5787 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
Removing the <tt>vsftpd</tt> package decreases the risk of its
accidental activation.
-severity: low
+severity: high
identifiers:
cce@rhel6: CCE-26687-4
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index bb7c17108a..08f81100f4 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -11,7 +11,7 @@ rationale: |-
Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack.
-severity: low
+severity: medium
identifiers:
cce@rhel7: CCE-80352-8
From 0da43ce6d4758a540ba3276a8c51819be643f709 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 2 Oct 2020 17:38:03 +0200
Subject: [PATCH 4/4] Remove severity refinement from profile and change on a
rule level.
---
.../system/bootloader-grub2/grub2_uefi_password/rule.yml | 2 +-
.../partitions/mount_option_dev_shm_nodev/rule.yml | 2 +-
.../partitions/mount_option_dev_shm_noexec/rule.yml | 2 +-
.../partitions/mount_option_dev_shm_nosuid/rule.yml | 2 +-
.../aide/aide_verify_ext_attributes/rule.yml | 2 +-
rhel7/profiles/stig.profile | 7 -------
6 files changed, 5 insertions(+), 12 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index e07094177b..0184c601a0 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -24,7 +24,7 @@ rationale: |-
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
-severity: medium
+severity: high
identifiers:
cce@rhel7: CCE-80354-4
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
index 4f01edeebc..4a06fd5f2f 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/dev/shm", "nodev") }}}
-severity: medium
+severity: low
identifiers:
cce@rhel6: CCE-26778-1
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
index 0074e898c6..eaab02ff6d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/dev/shm", "noexec") }}}
-severity: medium
+severity: low
identifiers:
cce@rhel6: CCE-26622-1
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
index e0eabc2a9e..3771bf2451 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
{{{ complete_ocil_entry_mount_option("/dev/shm", "nosuid") }}}
-severity: medium
+severity: low
identifiers:
cce@rhel6: CCE-26486-1
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
index 9dba1deca5..2e81a270c5 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications.
-severity: medium
+severity: low
identifiers:
cce@rhel7: CCE-80376-7
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index f3f94a66ba..b820d30608 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -97,7 +97,6 @@ selections:
- sudo_remove_nopasswd
- sudo_remove_no_authenticate
- accounts_logon_fail_delay
- - accounts_logon_fail_delay.severity=medium
- gnome_gdm_disable_automatic_login
- gnome_gdm_disable_guest_login
- sshd_do_not_permit_user_env
@@ -105,7 +104,6 @@ selections:
- grub2_password
- require_singleuser_auth
- grub2_uefi_password
- - grub2_uefi_password.severity=high
- smartcard_auth
- package_rsh-server_removed
- package_ypserv_removed
@@ -159,7 +157,6 @@ selections:
- grub2_enable_fips_mode
- aide_verify_acls
- aide_verify_ext_attributes
- - aide_verify_ext_attributes.severity=low
- aide_use_fips_hashes
- grub2_no_removeable_media
- uefi_no_removeable_media
@@ -275,7 +272,6 @@ selections:
- network_sniffer_disabled
- postfix_prevent_unrestricted_relay
- package_vsftpd_removed
- - package_vsftpd_removed.severity=high
- package_tftp-server_removed
- sshd_enable_x11_forwarding
- tftpd_uses_secure_mode
@@ -301,9 +297,6 @@ selections:
- sysctl_net_ipv4_conf_all_accept_redirects
- wireless_disable_interfaces
- mount_option_dev_shm_nodev
- - mount_option_dev_shm_nodev.severity=low
- mount_option_dev_shm_noexec
- - mount_option_dev_shm_noexec.severity=low
- mount_option_dev_shm_nosuid
- - mount_option_dev_shm_nosuid.severity=low
- audit_rules_privileged_commands_mount