diff --git a/SOURCES/add-include-remediation-back-to-sudo_require_reauthentication.patch b/SOURCES/add-include-remediation-back-to-sudo_require_reauthentication.patch new file mode 100644 index 0000000..b849532 --- /dev/null +++ b/SOURCES/add-include-remediation-back-to-sudo_require_reauthentication.patch @@ -0,0 +1,19 @@ +commit 661a195d94f1b5b97325ce5e92144e2766e477fa +Author: Gabriel Becker +Date: Fri Feb 25 17:19:26 2022 +0100 + + Downstream RHEL7 patch only to add include remediations functions. + +diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh +index 0b623ed4..e0b1c56a 100644 +--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh ++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh +@@ -4,6 +4,8 @@ + # complexity = low + # disruption = low + ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions + + {{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}} + diff --git a/SOURCES/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch b/SOURCES/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch new file mode 100644 index 0000000..02de6b2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch @@ -0,0 +1,567 @@ +From 19bd5adfd804590b15e42cc75287b792706286d5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Feb 2022 15:25:06 +0100 +Subject: [PATCH 1/9] Add rule to check for default sudoers includedir + +This rule supports RHEL-08-010379. +--- + .../ansible/shared.yml | 7 ++++ + .../sudoers_default_includedir/bash/shared.sh | 11 ++++++ + .../oval/shared.xml | 23 +++++++++++ + .../sudo/sudoers_default_includedir/rule.yml | 38 +++++++++++++++++++ + .../tests/default_includedir.pass.sh | 7 ++++ + .../tests/duplicate_includedir.fail.sh | 7 ++++ + .../tests/no_includedir.fail.sh | 4 ++ + .../tests/two_includedir.fail.sh | 8 ++++ + 9 files changed, 105 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +new file mode 100644 +index 00000000000..d9d5933285f +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +@@ -0,0 +1,7 @@ ++# platform = multi_platform_all ++# # reboot = false ++# # strategy = configure ++# # complexity = low ++# # disruption = low ++ ++{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +new file mode 100644 +index 00000000000..3a9e2da985b +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +@@ -0,0 +1,11 @@ ++# platform = multi_platform_all ++ ++sudoers_config_file="/etc/sudoers" ++sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") ++if [ "$sudoers_includedir_count" -gt 1 ]; then ++ sed -i "/#includedir.*/d" "$sudoers_config_file" ++ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" ++fi ++if [ "$sudoers_includedir_count" -eq 0 ]; then ++ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" ++fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +new file mode 100644 +index 00000000000..5618c64291c +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +@@ -0,0 +1,23 @@ ++ ++ ++ {{{ oval_metadata("Check if sudo includes only the default includedir") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/sudoers ++ ^#includedir[\s]+(.*)$ ++ 1 ++ ++ ++ /etc/sudoers.d ++ ++ ++ +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +new file mode 100644 +index 00000000000..5c33121f911 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel7,rhel8,rhel9 ++ ++title: 'Ensure sudo only includes the default configuration directory' ++ ++description: |- ++ Administrators can configure authorized sudo users via drop-in files, and it is possible to include ++ other directories and configuration files from the file currently being parsed. ++ ++ Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. ++ The /etc/sudoers should contain only one #includedir directive pointing to ++ /etc/sudoers.d ++ Note that the '#' character doesn't denote a comment in the configuration file. ++ ++rationale: |- ++ Some sudo configurtion options allow users to run programs without re-authenticating. ++ Use of these configuration options makes it easier for one compromised accound to be used to ++ compromise other accounts. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-86277-1 ++ cce@rhel8: CCE-86377-9 ++ cce@rhel9: CCE-86477-7 ++ ++references: ++ disa: CCI-000366 ++ stigid@rhel8: RHEL-08-010379 ++ ++ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" ++ ++ocil: |- ++ To determine whether sudo command includes configuration files from the appropriate directory, ++ run the following command: ++
$ sudo grep 'include' /etc/sudoers
++ If only the line #includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly. +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh +new file mode 100644 +index 00000000000..ac0c808ccd6 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Ensure default config is there ++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then ++ echo "#includedir /etc/sudoers.d" >> /etc/sudoers ++fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh +new file mode 100644 +index 00000000000..5bad8225625 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# duplicate default entry ++if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then ++ echo "#includedir /etc/sudoers.d" >> /etc/sudoers ++fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh +new file mode 100644 +index 00000000000..1e0ab8aea92 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++sed -i "/#includedir.*/d" /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh +new file mode 100644 +index 00000000000..09d14eab630 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Ensure that there are two different indludedirs ++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then ++ echo "#includedir /etc/sudoers.d" >> /etc/sudoers ++fi ++echo "#includedir /opt/extra_config.d" >> /etc/sudoers + +From 99fe46922243e8dff5822e2ed6eb49addd000baa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Feb 2022 16:21:46 +0100 +Subject: [PATCH 2/9] Select rule in RHEL8 STIG + +Select sudoers_default_indludedir aligning to RHEL8 STIG V1R5 +--- + products/rhel8/profiles/stig.profile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index d92bc72971c..e13bda7a787 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -271,6 +271,9 @@ selections: + # RHEL-08-010376 + - sysctl_kernel_perf_event_paranoid + ++ # RHEL-08-010379 ++ - sudoers_default_includedir ++ + # RHEL-08-010380 + - sudo_remove_nopasswd + + +From 3686fe72a6e27049f1c46d0a4efa07e1b42b6a20 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Feb 2022 17:26:59 +0100 +Subject: [PATCH 3/9] Add test and fix for case when the single includedir is + wrong + +--- + .../sudo/sudoers_default_includedir/bash/shared.sh | 7 +++++-- + .../tests/wrong_includedir.fail.sh | 5 +++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +index 3a9e2da985b..258af02c121 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +@@ -5,7 +5,10 @@ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") + if [ "$sudoers_includedir_count" -gt 1 ]; then + sed -i "/#includedir.*/d" "$sudoers_config_file" + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +-fi +-if [ "$sudoers_includedir_count" -eq 0 ]; then ++elif [ "$sudoers_includedir_count" -eq 0 ]; then + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" ++else ++ if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then ++ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers ++ fi + fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh +new file mode 100644 +index 00000000000..55a072adf3c +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++sed -i "/#includedir.*/d" /etc/sudoers ++echo "#includedir /opt/extra_config.d" >> /etc/sudoers + +From 0b20b495ed82cead1a033170b900c13da5260603 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Feb 2022 14:50:11 +0100 +Subject: [PATCH 4/9] Add tests for sudo file and dir includes in + /etc/sudoers.d + +--- + .../tests/sudoers.d_with_include.fail.sh | 9 +++++++++ + .../tests/sudoers.d_with_includedir.fail.sh | 9 +++++++++ + .../tests/sudoers_with_include.fail.sh | 11 +++++++++++ + 3 files changed, 29 insertions(+) + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh +new file mode 100644 +index 00000000000..554ef2e060d +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Ensure default config is there ++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then ++ echo "#includedir /etc/sudoers.d" >> /etc/sudoers ++fi ++ ++echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh +new file mode 100644 +index 00000000000..516b68b5a3e +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Ensure default config is there ++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then ++ echo "#includedir /etc/sudoers.d" >> /etc/sudoers ++fi ++ ++echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh +new file mode 100644 +index 00000000000..ad04880e334 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Ensure default config is there ++if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then ++ echo "#includedir /etc/sudoers.d" >> /etc/sudoers ++fi ++ ++if ! grep -q "#include " /etc/sudoers; then ++ echo "#include /etc/my-sudoers" >> /etc/sudoers ++fi + +From d91e3eefe6c265c27634cb15b0f276a298f81645 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Feb 2022 14:59:18 +0100 +Subject: [PATCH 5/9] Update rule catch and remove other sudo includes + +Any other #include or #includedir besides: +"/etc/sudoers: #includedir /etc/sudoers.d" should be removed. +--- + .../ansible/shared.yml | 14 +++++++++++ + .../sudoers_default_includedir/bash/shared.sh | 7 ++++-- + .../oval/shared.xml | 23 +++++++++++++++++++ + .../sudo/sudoers_default_includedir/rule.yml | 7 +++--- + 4 files changed, 46 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +index d9d5933285f..175a447e0d9 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +@@ -5,3 +5,17 @@ + # # disruption = low + + {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} ++{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}} ++- name: "Find out if /etc/sudoers.d/* files contain file or directory includes" ++ find: ++ path: "/etc/sudoers.d" ++ patterns: "*" ++ contains: '^#include(dir)?\s.*$' ++ register: sudoers_d_includes ++ ++- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files" ++ lineinfile: ++ path: "{{ item.path }}" ++ regexp: '^#include(dir)?\s.*$' ++ state: absent ++ with_items: "{{ sudoers_d_includes.files }}" +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +index 258af02c121..2d00b471677 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +@@ -1,6 +1,7 @@ + # platform = multi_platform_all + + sudoers_config_file="/etc/sudoers" ++sudoers_config_dir="/etc/sudoers.d" + sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") + if [ "$sudoers_includedir_count" -gt 1 ]; then + sed -i "/#includedir.*/d" "$sudoers_config_file" +@@ -8,7 +9,9 @@ if [ "$sudoers_includedir_count" -gt 1 ]; then + elif [ "$sudoers_includedir_count" -eq 0 ]; then + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" + else +- if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then +- sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers ++ if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then ++ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" + fi + fi ++sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/* ++sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/* +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +index 5618c64291c..59cab0b89de 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +@@ -3,6 +3,8 @@ + {{{ oval_metadata("Check if sudo includes only the default includedir") }}} + + ++ ++ + + + +@@ -20,4 +22,25 @@ + /etc/sudoers.d + + ++ ++ ++ ++ ++ /etc/sudoers ++ ^#include[\s]+.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/sudoers.d/ ++ .* ++ ^#include(dir)?[\s]+.*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +index 5c33121f911..3a8c22ac8af 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +@@ -10,7 +10,7 @@ description: |- + + Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. + The /etc/sudoers should contain only one #includedir directive pointing to +- /etc/sudoers.d ++ /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. + Note that the '#' character doesn't denote a comment in the configuration file. + + rationale: |- +@@ -34,5 +34,6 @@ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other + ocil: |- + To determine whether sudo command includes configuration files from the appropriate directory, + run the following command: +-
$ sudo grep 'include' /etc/sudoers
+- If only the line #includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly. ++
$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d
++ If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. ++ Any other line returned is a finding. + +From ead72b744f1fc03893184079c079df27780044c2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Feb 2022 15:00:46 +0100 +Subject: [PATCH 6/9] Add SRG to sudoers_default_includedir + +--- + .../system/software/sudo/sudoers_default_includedir/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +index 3a8c22ac8af..a97bd3efb2c 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +@@ -27,6 +27,7 @@ identifiers: + + references: + disa: CCI-000366 ++ srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010379 + + ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" + +From c1a08fe6b8e6388b89b190ca74e57af06e7c999c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Feb 2022 16:12:32 +0100 +Subject: [PATCH 7/9] Update RHEL8 STIG profile stability data + +--- + tests/data/profile_stability/rhel8/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index e4fee44f9f9..974b28757e9 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -365,6 +365,7 @@ selections: + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sudo_restrict_privilege_elevation_to_authorized ++- sudoers_default_includedir + - sudoers_validate_passwd + - sysctl_crypto_fips_enabled + - sysctl_fs_protected_hardlinks +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 83d04775e3a..99e0af4f5a6 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -376,6 +376,7 @@ selections: + - sudo_remove_nopasswd + - sudo_require_reauthentication + - sudo_restrict_privilege_elevation_to_authorized ++- sudoers_default_includedir + - sudoers_validate_passwd + - sysctl_crypto_fips_enabled + - sysctl_fs_protected_hardlinks + +From adae3ecbda4362e23cd1f30e053db37d6a1d403b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Feb 2022 16:59:22 +0100 +Subject: [PATCH 8/9] Fix Ansible remediation metadata + +--- + .../sudo/sudoers_default_includedir/ansible/shared.yml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +index 175a447e0d9..0d8c9e75184 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +@@ -1,8 +1,8 @@ + # platform = multi_platform_all +-# # reboot = false +-# # strategy = configure +-# # complexity = low +-# # disruption = low ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low + + {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} + {{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}} + +From d3f048456908b316c0dcc0bff2328cf87fe6e7de Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 14 Feb 2022 17:39:39 +0100 +Subject: [PATCH 9/9] Handle case when /etc/sudoers.d doesn't exist + +The remediation skips the directory, and the test scenarios create the +dir to ensure the test scenario works. +--- + .../sudo/sudoers_default_includedir/bash/shared.sh | 8 ++++++-- + .../tests/sudoers.d_with_include.fail.sh | 1 + + .../tests/sudoers.d_with_includedir.fail.sh | 1 + + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +index 2d00b471677..fbff5eb6f30 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +@@ -13,5 +13,9 @@ else + sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" + fi + fi +-sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/* +-sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/* ++ ++sed -i "/^#include\s\+.*/d" "$sudoers_config_file" ++ ++if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then ++ sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/* ++fi +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh +index 554ef2e060d..3f14ecc1627 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # platform = multi_platform_all + ++mkdir -p /etc/sudoers.d + # Ensure default config is there + if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh +index 516b68b5a3e..89515076ff1 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # platform = multi_platform_all + ++mkdir -p /etc/sudoers.d + # Ensure default config is there + if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers diff --git a/SOURCES/scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch b/SOURCES/scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch new file mode 100644 index 0000000..52448ae --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch @@ -0,0 +1,380 @@ +commit 0c97a68f7be1bfa5834fa6c68eeb7fcc9fbc00ef +Author: Gabriel Becker +Date: Thu Feb 17 12:15:36 2022 +0100 + + Custom patch for RHEL7.9 PR 8050. + +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh +new file mode 100644 +index 0000000..1c151a1 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv ++ ++if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then ++ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth" ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml +new file mode 100644 +index 0000000..24fdbe4 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml +@@ -0,0 +1,19 @@ ++ ++ ++ {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +new file mode 100644 +index 0000000..9375269 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml +@@ -0,0 +1,72 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel7,rhel8,rhel9,rhv4 ++ ++title: "Set PAM's Password Hashing Algorithm - password-auth" ++ ++description: |- ++ The PAM system service can be configured to only store encrypted ++ representations of passwords. In ++ /etc/pam.d/password-auth, ++ the ++ password section of the file controls which PAM modules execute ++ during a password change. Set the pam_unix.so module in the ++ password section to include the argument sha512, as shown ++ below: ++
++
password    sufficient    pam_unix.so sha512 other arguments...
++
++ This will help ensure when local users change their passwords, hashes for ++ the new passwords will be generated using the SHA-512 algorithm. This is ++ the default. ++ ++rationale: |- ++ Passwords need to be protected at all times, and encryption is the standard ++ method for protecting passwords. If passwords are not encrypted, they can ++ be plainly read (i.e., clear text) and easily compromised. Passwords that ++ are encrypted with a weak algorithm are no more protected than if they are ++ kepy in plain text. ++

++ This setting ensures user and group account administration utilities are ++ configured to store only encrypted representations of passwords. ++ Additionally, the crypt_style configuration option ensures the use ++ of a strong hashing algorithm that makes password cracking attacks more ++ difficult. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-85943-9 ++ cce@rhel8: CCE-85945-4 ++ cce@rhel9: CCE-85946-2 ++ ++references: ++ anssi: BP28(R32) ++ cis-csc: 1,12,15,16,5 ++ cis@rhel7: 5.4.3 ++ cis@rhel8: 5.4.4 ++ cjis: 5.6.2.2 ++ cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 ++ cui: 3.13.11 ++ disa: CCI-000196 ++ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4 ++ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1' ++ ism: 0418,1055,1402 ++ iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 ++ nist: IA-5(c),IA-5(1)(c),CM-6(a) ++ nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 ++ pcidss: Req-8.2.1 ++ srg: SRG-OS-000073-GPOS-00041 ++ stigid@rhel7: RHEL-07-010200 ++ stigid@rhel8: RHEL-08-010160 ++ vmmsrg: SRG-OS-000480-VMM-002000 ++ ++ocil_clause: 'it does not' ++ ++ocil: |- ++ Inspect the password section of /etc/pam.d/password-auth ++ and ensure that the pam_unix.so module includes the argument ++ sha512: ++
$ grep sha512 /etc/pam.d/password-auth
++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh +new file mode 100644 +index 0000000..a924fe5 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then ++ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth" ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh +new file mode 100644 +index 0000000..68e925a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth" +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh +index 02af406..e7503fe 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh +@@ -1,7 +1,9 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + AUTH_FILES[0]="/etc/pam.d/system-auth" ++{{%- if product == "rhel7" %}} + AUTH_FILES[1]="/etc/pam.d/password-auth" ++{{%- endif %}} + + for pamFile in "${AUTH_FILES[@]}" + do +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml +index d76b6f8..a754a84 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml +@@ -3,6 +3,9 @@ + {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}} + + ++ {{%- if product == "rhel7" %}} ++ ++ {{%- endif %}} + + + +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index 24ab30d..58fcea9 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -69,7 +69,7 @@ references: + srg: SRG-OS-000073-GPOS-00041 + stigid@ol7: OL07-00-010200 + stigid@rhel7: RHEL-07-010200 +- stigid@rhel8: RHEL-08-010160 ++ stigid@rhel8: RHEL-08-010159 + stigid@sle12: SLES-12-010230 + stigid@sle15: SLES-15-020170 + vmmsrg: SRG-OS-000480-VMM-002000 +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh +index 7e48176..fb9feec 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh +@@ -1,7 +1,9 @@ + #!/bin/bash + + AUTH_FILES[0]="/etc/pam.d/system-auth" ++{{%- if product == "rhel7" %}} + AUTH_FILES[1]="/etc/pam.d/password-auth" ++{{%- endif %}} + + for pamFile in "${AUTH_FILES[@]}" + do +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh +index 09bb82d..2f35381 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh +@@ -1,7 +1,9 @@ + #!/bin/bash + + AUTH_FILES[0]="/etc/pam.d/system-auth" ++{{%- if product == "rhel7" %}} + AUTH_FILES[1]="/etc/pam.d/password-auth" ++{{%- endif %}} + + for pamFile in "${AUTH_FILES[@]}" + do +diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile +index fed3364..2449b8a 100644 +--- a/products/rhel8/profiles/pci-dss.profile ++++ b/products/rhel8/profiles/pci-dss.profile +@@ -126,6 +126,7 @@ selections: + - service_pcscd_enabled + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - file_owner_etc_shadow +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index d76bb38..1045be3 100644 +--- a/products/rhel8/profiles/rht-ccp.profile ++++ b/products/rhel8/profiles/rht-ccp.profile +@@ -54,6 +54,7 @@ selections: + - accounts_password_pam_difok + - accounts_passwords_pam_faillock_deny + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - require_singleuser_auth +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 7473865..6eb08da 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -146,6 +146,9 @@ selections: + # RHEL-08-010152 + - require_emergency_target_auth + ++ # RHEL-08-010159 ++ - set_password_hashing_algorithm_passwordauth ++ + # RHEL-08-010160 + - set_password_hashing_algorithm_systemauth + +diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile +index af34750..88f1518 100644 +--- a/products/rhel9/profiles/pci-dss.profile ++++ b/products/rhel9/profiles/pci-dss.profile +@@ -125,6 +125,7 @@ selections: + # - service_pcscd_enabled # not supported in RHEL9 ATM + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - file_owner_etc_shadow +diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile +index 8d60468..9d2cf4b 100644 +--- a/products/rhel9/profiles/stig.profile ++++ b/products/rhel9/profiles/stig.profile +@@ -128,6 +128,9 @@ selections: + # To be released in V1R3 + # - require_emergency_target_auth + ++ # RHEL-08-010159 ++ - set_password_hashing_algorithm_passwordauth ++ + # RHEL-08-010160 + - set_password_hashing_algorithm_systemauth + +diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile +index 90e196e..f1fb1f8 100644 +--- a/products/rhv4/profiles/pci-dss.profile ++++ b/products/rhv4/profiles/pci-dss.profile +@@ -115,6 +115,7 @@ selections: + - service_pcscd_enabled + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_libuserconf + - file_owner_etc_shadow +diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile +index ef28fa1..d17833b 100644 +--- a/products/rhv4/profiles/rhvh-stig.profile ++++ b/products/rhv4/profiles/rhvh-stig.profile +@@ -355,6 +355,7 @@ selections: + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_passwordauth + - package_opensc_installed + - var_smartcard_drivers=cac + - configure_opensc_card_drivers +diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile +index 9be3e34..3b5802d 100644 +--- a/products/rhv4/profiles/rhvh-vpp.profile ++++ b/products/rhv4/profiles/rhvh-vpp.profile +@@ -200,6 +200,7 @@ selections: + - accounts_password_pam_unix_remember + - set_password_hashing_algorithm_logindefs + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_libuserconf + - no_empty_passwords + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 226fed8..97dfbe2 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -69,9 +69,6 @@ CCE-85939-7 + CCE-85940-5 + CCE-85941-3 + CCE-85942-1 +-CCE-85943-9 +-CCE-85945-4 +-CCE-85946-2 + CCE-85947-0 + CCE-85948-8 + CCE-85949-6 +diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile +index f58bcf9..e235d49 100644 +--- a/tests/data/profile_stability/rhel8/pci-dss.profile ++++ b/tests/data/profile_stability/rhel8/pci-dss.profile +@@ -1,5 +1,9 @@ ++title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 + description: Ensures PCI-DSS v3.2.1 security configuration settings are applied. +-documentation_complete: true ++extends: null ++metadata: ++ SMEs: ++ - yuumasato + reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + selections: + - account_disable_post_pw_expiration +@@ -120,6 +124,7 @@ selections: + - service_pcscd_enabled + - set_password_hashing_algorithm_libuserconf + - set_password_hashing_algorithm_logindefs ++- set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - sshd_set_idle_timeout + - sshd_set_keepalive_0 +@@ -136,4 +141,8 @@ selections: + - var_multiple_time_servers=rhel + - var_sshd_set_keepalive=0 + - var_smartcard_drivers=cac +-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 ++platforms: !!set {} ++cpe_names: !!set {} ++platform: null ++filter_rules: '' ++documentation_complete: true +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 1e84dea..58699ee 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -329,6 +329,7 @@ selections: + - service_systemd-coredump_disabled + - service_usbguard_enabled + - set_password_hashing_algorithm_logindefs ++- set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - sshd_disable_compression + - sshd_disable_empty_passwords +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index 1c9cf55..f432444 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -340,6 +340,7 @@ selections: + - service_systemd-coredump_disabled + - service_usbguard_enabled + - set_password_hashing_algorithm_logindefs ++- set_password_hashing_algorithm_passwordauth + - set_password_hashing_algorithm_systemauth + - sshd_disable_compression + - sshd_disable_empty_passwords diff --git a/SOURCES/scap-security-guide-0.1.61-update_RHEL7_STIG-PR_8225.patch b/SOURCES/scap-security-guide-0.1.61-update_RHEL7_STIG-PR_8225.patch new file mode 100644 index 0000000..32ddc32 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-update_RHEL7_STIG-PR_8225.patch @@ -0,0 +1,318 @@ +commit f2a0e48d89e6e8c879a2eb94dc4adec2da988f78 +Author: Gabriel Becker +Date: Thu Feb 17 12:48:39 2022 +0100 + + Custom patch for RHEL7.9 PR 8225. + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index 6c3cc55..e0615c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -54,7 +54,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 + stigid@ol7: OL07-00-030420 +- stigid@rhel7: RHEL-07-030420 ++ stigid@rhel7: RHEL-07-030410 + stigid@rhel8: RHEL-08-030540 + stigid@sle12: SLES-12-020470 + stigid@sle15: SLES-15-030300 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index 3e51d48..cd02e55 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -54,7 +54,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203 + stigid@ol7: OL07-00-030430 +- stigid@rhel7: RHEL-07-030430 ++ stigid@rhel7: RHEL-07-030410 + stigid@rhel8: RHEL-08-030530 + stigid@sle12: SLES-12-020480 + stigid@sle15: SLES-12-030310 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index d89875f..d205ddb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -57,7 +57,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030380 +- stigid@rhel7: RHEL-07-030380 ++ stigid@rhel7: RHEL-07-030370 + stigid@rhel8: RHEL-08-030520 + stigid@sle12: SLES-12-020430 + stigid@sle15: SLES-15-030260 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index e6caaeb..05c36ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -54,7 +54,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030400 +- stigid@rhel7: RHEL-07-030400 ++ stigid@rhel7: RHEL-07-030370 + stigid@rhel8: RHEL-08-030510 + stigid@sle12: SLES-12-020450 + stigid@sle15: SLES-15-030280 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index b9ad3c7..f37db41 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -71,7 +71,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030480 +- stigid@rhel7: RHEL-07-030480 ++ stigid@rhel7: RHEL-07-030440 + stigid@rhel8: RHEL-08-030240 + stigid@sle12: SLES-12-020410 + stigid@sle15: SLES-15-030210 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index cedf05f..f32a323 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -66,7 +66,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030450 +- stigid@rhel7: RHEL-07-030450 ++ stigid@rhel7: RHEL-07-030440 + stigid@rhel8: RHEL-08-030230 + stigid@sle12: SLES-12-020380 + stigid@sle15: SLES-15-030230 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index 190509c..954ff5a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -54,7 +54,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + stigid@ol7: OL07-00-030390 +- stigid@rhel7: RHEL-07-030390 ++ stigid@rhel7: RHEL-07-030370 + stigid@rhel8: RHEL-08-030500 + stigid@sle12: SLES-12-020440 + stigid@sle15: SLES-15-030270 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index ffdacdf..ab8a98b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -71,7 +71,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030490 +- stigid@rhel7: RHEL-07-030490 ++ stigid@rhel7: RHEL-07-030440 + stigid@rhel8: RHEL-08-030200 + stigid@sle12: SLES-12-020400 + stigid@sle15: SLES-15-030200 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index 3662262..885da73 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -65,7 +65,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030460 +- stigid@rhel7: RHEL-07-030460 ++ stigid@rhel7: RHEL-07-030440 + stigid@rhel8: RHEL-08-030220 + stigid@sle15: SLES-15-030240 + stigid@ubuntu2004: UBTU-20-010143 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index ac9d349..4bbb500 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -70,7 +70,7 @@ references: + pcidss: Req-10.5.5 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 + stigid@ol7: OL07-00-030470 +- stigid@rhel7: RHEL-07-030470 ++ stigid@rhel7: RHEL-07-030440 + stigid@rhel8: RHEL-08-030210 + stigid@sle12: SLES-12-020390 + stigid@sle15: SLES-15-030190 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +index 2f2d75a..2ae4d05 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +@@ -47,7 +47,7 @@ references: + pcidss: Req-10.2.7 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030880 +- stigid@rhel7: RHEL-07-030880 ++ stigid@rhel7: RHEL-07-030910 + stigid@rhel8: RHEL-08-030361 + stigid@ubuntu2004: UBTU-20-010269 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +index 37620a3..c7d2008 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +@@ -47,7 +47,7 @@ references: + pcidss: Req-10.2.7 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030890 +- stigid@rhel7: RHEL-07-030890 ++ stigid@rhel7: RHEL-07-030910 + stigid@rhel8: RHEL-08-030362 + stigid@ubuntu2004: UBTU-20-010270 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +index e6b4004..e8d3826 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +@@ -46,7 +46,7 @@ references: + pcidss: Req-10.2.7 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030900 +- stigid@rhel7: RHEL-07-030900 ++ stigid@rhel7: RHEL-07-030910 + stigid@rhel8: RHEL-08-030363 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +index bd246f1..775072f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +@@ -47,7 +47,7 @@ references: + pcidss: Req-10.2.7 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212 + stigid@ol7: OL07-00-030920 +- stigid@rhel7: RHEL-07-030920 ++ stigid@rhel7: RHEL-07-030910 + stigid@rhel8: RHEL-08-030365 + stigid@ubuntu2004: UBTU-20-010268 + vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index 5c751cb..4ed1cde 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -59,7 +59,7 @@ references: + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030500 +- stigid@rhel7: RHEL-07-030500 ++ stigid@rhel7: RHEL-07-030510 + stigid@rhel8: RHEL-08-030470 + stigid@sle12: SLES-12-020520 + stigid@sle15: SLES-15-030160 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 76bcea1..203aa4c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -62,7 +62,7 @@ references: + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030550 +- stigid@rhel7: RHEL-07-030550 ++ stigid@rhel7: RHEL-07-030510 + stigid@rhel8: RHEL-08-030460 + stigid@sle12: SLES-12-020510 + stigid@sle15: SLES-15-030320 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index 9bb5ffe..3d4cfba 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -58,7 +58,7 @@ references: + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030530 +- stigid@rhel7: RHEL-07-030530 ++ stigid@rhel7: RHEL-07-030510 + stigid@rhel8: RHEL-08-030450 + stigid@sle12: SLES-12-020540 + stigid@sle15: SLES-15-030180 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index c99656c..5e58d02 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -62,7 +62,7 @@ references: + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030520 +- stigid@rhel7: RHEL-07-030520 ++ stigid@rhel7: RHEL-07-030510 + stigid@rhel8: RHEL-08-030430 + stigid@sle12: SLES-12-020530 + stigid@sle15: SLES-15-030170 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index 12771be..e1906b6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -61,7 +61,7 @@ references: + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205 + stigid@ol7: OL07-00-030540 +- stigid@rhel7: RHEL-07-030540 ++ stigid@rhel7: RHEL-07-030510 + stigid@rhel8: RHEL-08-030420 + stigid@sle12: SLES-12-020500 + stigid@sle15: SLES-15-030610 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index aa17002..64bf354 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -49,7 +49,7 @@ references: + pcidss: Req-10.2.7 + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + stigid@ol7: OL07-00-030821 +- stigid@rhel7: RHEL-07-030821 ++ stigid@rhel7: RHEL-07-030820 + stigid@rhel8: RHEL-08-030380 + stigid@sle12: SLES-12-020740 + stigid@sle15: SLES-15-030530 +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index 51adb67..4456e8b 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -36,6 +36,7 @@ references: + nist-csf: DE.CM-1,DE.CM-7,PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3 + pcidss: Req-11.5 + srg: SRG-OS-000363-GPOS-00150 ++ stigid@rhel7: RHEL-07-020029 + stigid@rhel8: RHEL-08-010360 + stigid@sle12: SLES-12-010500 + stigid@sle15: SLES-15-010420 +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +index a97bd3e..47c3019 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +@@ -28,6 +28,7 @@ identifiers: + references: + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel7: RHEL-07-010339 + stigid@rhel8: RHEL-08-010379 + + ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index f020bc0..06bc62e 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -46,7 +46,7 @@ selections: + - var_accounts_minimum_age_login_defs=1 + - var_password_pam_maxrepeat=3 + - var_accounts_maximum_age_login_defs=60 +- - var_account_disable_post_pw_expiration=0 ++ - var_account_disable_post_pw_expiration=35 + - var_removable_partition=dev_cdrom + - var_auditd_action_mail_acct=root + - var_auditd_space_left_action=email +@@ -56,7 +56,7 @@ selections: + - var_accounts_max_concurrent_login_sessions=10 + - var_accounts_tmout=15_min + - var_accounts_authorized_local_users_regex=rhel7 +- - var_time_service_set_maxpoll=system_default ++ - var_time_service_set_maxpoll=18_hours + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled +@@ -326,3 +326,5 @@ selections: + - auditd_overflow_action + - auditd_name_format + - sebool_ssh_sysadm_login ++ - sudoers_default_includedir ++ - package_aide_installed diff --git a/SOURCES/scap-security-guide-0.1.61-update_RHEL_07_STIG-PR_8140.patch b/SOURCES/scap-security-guide-0.1.61-update_RHEL_07_STIG-PR_8140.patch new file mode 100644 index 0000000..cce5981 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-update_RHEL_07_STIG-PR_8140.patch @@ -0,0 +1,1170 @@ +commit 527027f3265cf06e26d36df260eabe63b8a24166 +Author: Gabriel Becker +Date: Thu Feb 17 12:32:24 2022 +0100 + + Custom patch for RHEL7.9 PR 8140. + +diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile +index e2c4f9a..f020bc0 100644 +--- a/products/rhel7/profiles/stig.profile ++++ b/products/rhel7/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R5 ++ version: V3R6 + SMEs: + - ggbecker + +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux V3R5. ++ DISA STIG for Red Hat Enterprise Linux V3R6. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile +index 2c5821f..932d034 100644 +--- a/products/rhel7/profiles/stig_gui.profile ++++ b/products/rhel7/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V3R5 ++ version: V3R6 + SMEs: + - ggbecker + +@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux V3R5. ++ DISA STIG with GUI for Red Hat Enterprise Linux V3R6. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/shared/references/disa-stig-rhel7-v3r5-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml +similarity index 81% +rename from shared/references/disa-stig-rhel7-v3r5-xccdf-manual.xml +rename to shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml +index a674d50..62c5f36 100644 +--- a/shared/references/disa-stig-rhel7-v3r5-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel7-v3r6-xccdf-manual.xml +@@ -1,4 +1,4 @@ +-acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 27 Oct 20213.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. ++acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Jan 20223.2.2.360791.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. + + Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: + +@@ -543,20 +543,20 @@ Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" + # grep maxrepeat /etc/security/pwquality.conf + maxrepeat = 3 + +-If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86541V-71917CCI-000195Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. + + Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): + +-maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. ++maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. + + Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: + +-# grep maxclassrepeat /etc/security/pwquality.conf ++$ sudo grep maxclassrepeat /etc/security/pwquality.conf + maxclassrepeat = 4 + +-If the value of "maxclassrepeat" is set to more than "4", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. ++If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. + + Add the following line in "/etc/pam.d/system-auth": + pam_unix.so sha512 shadow try_first_pass use_authtok +@@ -661,7 +661,7 @@ Check for the value of the "minlen" option in "/etc/security/pwquality.conf" wit + # grep minlen /etc/security/pwquality.conf + minlen = 15 + +-If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. ++If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. + + Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. + +@@ -682,20 +682,21 @@ PermitEmptyPasswords no + + If no line, a commented line, or a line indicating the value "no" is returned, the required value is set. + +-If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. ++If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +-Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires. ++Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) 35 days after the password expires. + + Add the following line to "/etc/default/useradd" (or modify the line to have the required value): + +-INACTIVE=0If passwords are not being used for authentication, this is Not Applicable. ++INACTIVE=35 ++DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.If passwords are not being used for authentication, this is Not Applicable. + + Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: + + # grep -i inactive /etc/default/useradd +-INACTIVE=0 ++INACTIVE=35 + +-If the value is not set to "0", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. ++If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. + + Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. + +@@ -1615,7 +1616,7 @@ Note: The example will be for a system that is configured to create users' home + + # grep <file> /home/*/.* + +-If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72039SV-86663CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file: ++If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Run the following command to determine which package owns the device file: + + # rpm -qf <filename> + +@@ -2269,526 +2270,120 @@ The audit daemon must be restarted for the changes to take effect.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw chown /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030380The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86723V-72099CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw fchown /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030390The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72101SV-86725CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw lchown /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030400The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72103SV-86727CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw fchownat /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following command: +- +-# grep -iw chmod /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030420The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86731V-72107CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following command: +- +-# grep -iw fchmod /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030430The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86733V-72109CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following command: +- +-# grep -iw fchmodat /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw setxattr /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030450The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86737V-72113CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw fsetxattr /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030460The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72115SV-86739CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw lsetxattr /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030470The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72117SV-86741CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw removexattr /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030480The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86743V-72119CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw fremovexattr /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030490The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72121SV-86745CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw lremovexattr /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +--a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +- +-If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030500The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72123SV-86747CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules: +- +--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw creat /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-If both the "b32" and "b64" audit rules are not defined for the "creat" syscall, this is a finding. +- +-If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +- +-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw open /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-If both the "b32" and "b64" audit rules are not defined for the "open" syscall, this is a finding. +- +-If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +- +-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030520The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72127SV-86751CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw openat /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-If both the "b32" and "b64" audit rules are not defined for the "openat" syscall, this is a finding. +- +-If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +- +-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030530The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86753V-72129CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw open_by_handle_at /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_at" syscall, this is a finding. +- +-If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +- +-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030540The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86755V-72131CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw truncate /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-If both the "b32" and "b64" audit rules are not defined for the "truncate" syscall, this is a finding. +- +-If the output does not produce rules containing "-F exit=-EPERM", this is a finding. +- +-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030550The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72133SV-86757CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw ftruncate /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +- +--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86721V-72097CCI-000126CCI-000172Add or update the following rule in "/etc/audit/rules.d/audit.rules": + +-If both the "b32" and "b64" audit rules are not defined for the "ftruncate" syscall, this is a finding. ++-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + +-If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod + ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" syscalls. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep chown /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep chmod /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep xattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep 'open\|truncate\|creat' /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ + If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). +@@ -3273,51 +2868,31 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: + + -a always,exit -F arch=b64 -S create_module -k module-change + +-If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S init_module -k module-change +- +--a always,exit -F arch=b64 -S init_module -k module-change +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. +- +-Check the auditing rules in "/etc/audit/audit.rules" with the following command: +- +-# grep -iw init_module /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S init_module -k module-change +- +--a always,exit -F arch=b64 -S init_module -k module-change +- +-If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030821The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +- +-Audit records can be generated from various components within the information system (e.g., module or policy filter). +- +-Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-79001SV-93707CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. +- +-Add or update the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S finit_module -k module-change +- +--a always,exit -F arch=b64 -S finit_module -k module-change +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. +- +-Check the auditing rules in "/etc/audit/audit.rules" with the following command: +- +-# grep -iw finit_module /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S finit_module -k module-change +- +--a always,exit -F arch=b64 -S finit_module -k module-change +- +-If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. ++ ++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S init_module,finit_module -k modulechange ++ ++-a always,exit -F arch=b64 -S init_module,finit_module -k modulechange ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep init_module /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S init_module,finit_module -k modulechange ++ ++-a always,exit -F arch=b64 -S init_module,finit_module -k modulechange ++ ++If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + +@@ -3442,117 +3017,31 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command: + + -w /etc/security/opasswd -p wa -k identity + +-If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030880The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86823V-72199CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur. +- +-Add the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw rename /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete +- +-If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030890The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86825V-72201CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur. +- +-Add the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw renameat /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete +- +-If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030900The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72203SV-86827CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur. +- +-Add the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw rmdir /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete +- +-If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur. +- +-Add the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw unlink /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete +- +-If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030920The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. +- +-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. +- +-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72207SV-86831CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur. +- +-Add the following rules in "/etc/audit/rules.d/audit.rules": +- +--a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete +- +-The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur. +- +-Check the file system rules in "/etc/audit/audit.rules" with the following commands: +- +-# grep -iw unlinkat /etc/audit/audit.rules +- +--a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete +- +--a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete +- +-If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system: ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. ++ ++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. ++ ++Add the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep 'unlink\|rename\|rmdir' /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system: + *.* @@<log aggregation system name>Verify "rsyslog" is configured to send all messages to a log aggregation server. + + Check the configuration of "rsyslog" with the following command: +@@ -4119,15 +3608,15 @@ Check that the SSH daemon performs compression after a user successfully authent + # grep -i compression /etc/ssh/sshd_config + Compression delayed + +-If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. ++If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. + + Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. + + Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). + +-Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-001891CCI-002046Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows: ++Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-001891CCI-002046Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "16" as follows: + +-server 0.rhel.pool.ntp.org iburst maxpoll 10 ++server 0.rhel.pool.ntp.org iburst maxpoll 16 + + If NTP was running and "maxpoll" was updated, the NTP service must be restarted: + +@@ -4143,7 +3632,7 @@ If "chronyd" was running and "maxpoll" was updated, the service must be restarte + + If "chronyd" was not running, it must be started: + +-# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode: ++# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode: + + # ps -ef | grep ntp + +@@ -4157,9 +3646,9 @@ If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" op + + # grep maxpoll /etc/ntp.conf + +-server 0.rhel.pool.ntp.org iburst maxpoll 10 ++server 0.rhel.pool.ntp.org iburst maxpoll 16 + +-If the option is set to "17" or is not set, this is a finding. ++If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. + + If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command. + +@@ -4174,7 +3663,7 @@ If the "chronyd" process is found, then check the "chrony.conf" file for the "ma + + # grep maxpoll /etc/chrony.conf + +-server 0.rhel.pool.ntp.org iburst maxpoll 10 ++server 0.rhel.pool.ntp.org iburst maxpoll 16 + + If the option is not set or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040520The Red Hat Enterprise Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. + +@@ -4919,11 +4408,11 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* + + If the either of the following entries are returned, this is a finding: + ALL ALL=(ALL) ALL +-ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. ++ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: + Defaults !targetpw + Defaults !rootpw +-Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. ++Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. + + $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' + +@@ -4931,10 +4420,11 @@ $ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | g + /etc/sudoers:Defaults !rootpw + /etc/sudoers:Defaults !runaspw + +-If no results are returned, this is a finding ++If no results are returned, this is a finding. ++If results are returned from more than one file location, this is a finding. + If "Defaults !targetpw" is not defined, this is a finding. + If "Defaults !rootpw" is not defined, this is a finding. +-If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. ++If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + + When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +@@ -4944,11 +4434,13 @@ $ sudo visudo + + Add or modify the following line: + Defaults timestamp_timeout=[value] +-Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. ++Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. + + $ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* + /etc/sudoers:Defaults timestamp_timeout=0 + ++If results are returned from more than one file location, this is a finding. ++ + If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. + The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. + +@@ -5029,19 +4521,80 @@ Check the SELinux ssh_sysadm_login boolean with the following command: + $ sudo getsebool ssh_sysadm_login + ssh_sysadm_login --> off + +-If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. ++If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + + Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. + Edit a file in the /etc/sudoers.d directory with the following command: + $ sudo visudo -f /etc/sudoers.d/<customfile> + + Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: +-%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLNote: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. ++%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLNote: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: + + This command must be ran as root: +-# grep sysadm_r /etc/sudoers.d/* ++# grep sysadm_r /etc/sudoers /etc/sudoers.d/* + %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL + +-If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding. +\ No newline at end of file ++If results are returned from more than one file location, this is a finding. ++ ++If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010291The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: ++ ++Perform a password reset: ++$ sudo passwd [username] ++Lock an account: ++$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command: ++ ++$ sudo awk -F: '!$2 {print $1}' /etc/shadow ++ ++If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010339The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. ++ ++It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. ++ ++Edit the /etc/sudoers file with the following command: ++ ++$ sudo visudo ++ ++Add or modify the following line: ++#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: ++ ++$ sudo grep include /etc/sudoers ++ ++#includedir /etc/sudoers.d ++ ++If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding. ++ ++Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: ++ ++$ sudo grep include /etc/sudoers.d/* ++ ++If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. ++ ++When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. ++ ++Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002038Configure the operating system to require users to supply a password for privilege escalation. ++ ++Check the configuration of the "/etc/ pam.d/sudo" file with the following command: ++$ sudo vi /etc/pam.d/sudo ++ ++Remove any occurrences of "pam_succeed_if" in the file.Verify the operating system is not be configured to bypass password requirements for privilege escalation. ++ ++Check the configuration of the "/etc/pam.d/sudo" file with the following command: ++ ++$ sudo grep pam_succeed_if /etc/pam.d/sudo ++ ++If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. ++ ++This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install the AIDE package by running the following command: ++ ++$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. ++ ++Check that the AIDE package is installed with the following command: ++ ++$ sudo rpm -q aide ++ ++aide-0.16-14.el8.x86_64 ++ ++If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. ++ ++If there is no application installed to perform integrity checks, this is a finding. +\ No newline at end of file diff --git a/SOURCES/scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch b/SOURCES/scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch new file mode 100644 index 0000000..90fd05e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch @@ -0,0 +1,189 @@ +From 133d331a04e1ba27324291006c65c2bfa467e49d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 1 Feb 2022 16:54:16 +0100 +Subject: [PATCH 1/2] Update RHEL-08-010383 to require only one occurrence of a + config. + +The V1R5 release of RHEL8 STIG requires that the configuration should be +present only in one configuration file to prevent any ordering problem +when the modules loads the configuration using drop-in files that use +the lexicographically order of file names. +--- + .../sudo/sudoers_validate_passwd/ansible/shared.yml | 6 +++--- + .../sudo/sudoers_validate_passwd/oval/shared.xml | 12 ++++++------ + .../software/sudo/sudoers_validate_passwd/rule.yml | 3 ++- + .../tests/sudoers_validate_passwd_duplicates.fail.sh | 7 +++++++ + 4 files changed, 18 insertions(+), 10 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +index 08ffd76aed6..19673634fb3 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +@@ -4,6 +4,6 @@ + # complexity = low + # disruption = low + +-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}} +-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}} +-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}} ++{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}} ++{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}} ++{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}} +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml +index 646e6bfb7c0..b3fadd53bee 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml +@@ -8,17 +8,17 @@ + + + +- + + + +- + + + +- + + +@@ -26,19 +26,19 @@ + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !targetpw$\r?\n +- 1 ++ 1 + + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !rootpw$\r?\n +- 1 ++ 1 + + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !runaspw$\r?\n +- 1 ++ 1 + + + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +index ccc29b77d15..698021d8fd0 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo' + ocil: |- + Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: +
 sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
+- If no results are returned, this is a finding ++ If no results are returned, this is a finding. ++ If results are returned from more than one file location, this is a finding. + If "Defaults !targetpw" is not defined, this is a finding. + If "Defaults !rootpw" is not defined, this is a finding. + If "Defaults !runaspw" is not defined, this is a finding. +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh +new file mode 100644 +index 00000000000..6247b5230e4 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 ++# packages = sudo ++ ++echo 'Defaults !targetpw' >> /etc/sudoers ++echo 'Defaults !rootpw' >> /etc/sudoers ++echo 'Defaults !runaspw' >> /etc/sudoers ++echo 'Defaults !runaspw' >> /etc/sudoers + +From 315b248c77252fc3145cdf34fede98b1a32a7c04 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 9 Feb 2022 15:24:23 +0100 +Subject: [PATCH 2/2] Update remediations of sudoers_validate_passwd to remove + duplicates. + +--- + .../ansible/shared.yml | 20 +++++++++++++++++++ + .../sudoers_validate_passwd/bash/shared.sh | 12 +++++++++++ + .../tests/sudoers_d_duplicate.fail.sh | 9 +++++++++ + 3 files changed, 41 insertions(+) + create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +index 19673634fb3..399ca1ea3ce 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +@@ -4,6 +4,26 @@ + # complexity = low + # disruption = low + ++{{%- macro delete_line_in_sudoers_d(line) %}} ++- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated" ++ find: ++ path: "/etc/sudoers.d" ++ patterns: "*" ++ contains: '^{{{ line }}}$' ++ register: sudoers_d_defaults ++ ++- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files" ++ lineinfile: ++ path: "{{ item.path }}" ++ regexp: "^{{{ line }}}$" ++ state: absent ++ with_items: "{{ sudoers_d_defaults.files }}" ++{{%- endmacro %}} ++ ++{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}} ++{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}} ++{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}} ++ + {{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}} + {{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}} + {{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}} +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh +index ea0ac67fa1c..3b327f3fc88 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh +@@ -1,5 +1,17 @@ + # platform = multi_platform_all + ++{{%- macro delete_line_in_sudoers_d(line) %}} ++if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then ++ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \; ++fi ++{{%- endmacro %}} ++ ++{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}} ++{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}} ++{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}} ++ + {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} + {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} + {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} ++ ++ +diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh +new file mode 100644 +index 00000000000..a258d108a00 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh +@@ -0,0 +1,9 @@ ++# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 ++# packages = sudo ++ ++echo 'Defaults !targetpw' >> /etc/sudoers ++echo 'Defaults !rootpw' >> /etc/sudoers ++echo 'Defaults !runaspw' >> /etc/sudoers ++echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf ++echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf ++echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf diff --git a/SOURCES/scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch b/SOURCES/scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch new file mode 100644 index 0000000..c64e503 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch @@ -0,0 +1,163 @@ +From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 14 Feb 2022 15:54:37 +0100 +Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config. + +This configuration must appear at only one place so it doesn't get +overriden by a different file that can loaded on a different order and +the intended configuration is replaced by non-compliant value. +--- + .../ansible/shared.yml | 36 ++++++++++++++++++ + .../bash/shared.sh | 38 +++++++++++++++++++ + .../oval/shared.xml | 4 +- + .../sudo_require_reauthentication/rule.yml | 14 +------ + .../tests/multiple_correct_value.fail.sh | 10 +++++ + 5 files changed, 87 insertions(+), 15 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh + create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml +new file mode 100644 +index 00000000000..b0c67a69af9 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml +@@ -0,0 +1,36 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}} ++- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated" ++ find: ++ path: "/etc/sudoers.d" ++ patterns: "*" ++ contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*' ++ register: sudoers_d_defaults_timestamp_timeout ++ ++- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files" ++ lineinfile: ++ path: "{{ item.path }}" ++ regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*' ++ state: absent ++ with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}" ++ ++- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers ++ lineinfile: ++ path: /etc/sudoers ++ regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$' ++ line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2' ++ validate: /usr/sbin/visudo -cf %s ++ backrefs: yes ++ register: edit_sudoers_timestamp_timeout_option ++ ++- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers ++ lineinfile: # noqa 503 ++ path: /etc/sudoers ++ line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}' ++ validate: /usr/sbin/visudo -cf %s ++ when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed +diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh +new file mode 100644 +index 00000000000..0b623ed4a49 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh +@@ -0,0 +1,38 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++ ++{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}} ++ ++if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then ++ find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \; ++fi ++ ++if /usr/sbin/visudo -qcf /etc/sudoers; then ++ cp /etc/sudoers /etc/sudoers.bak ++ if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then ++ # sudoers file doesn't define Option timestamp_timeout ++ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers ++ else ++ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set ++ if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then ++ ++ sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers ++ fi ++ fi ++ ++ # Check validity of sudoers and cleanup bak ++ if /usr/sbin/visudo -qcf /etc/sudoers; then ++ rm -f /etc/sudoers.bak ++ else ++ echo "Fail to validate remediated /etc/sudoers, reverting to original file." ++ mv /etc/sudoers.bak /etc/sudoers ++ false ++ fi ++else ++ echo "Skipping remediation, /etc/sudoers failed to validate" ++ false ++fi +diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml +index 8f404ca6065..dfc319b6f1f 100644 +--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml +@@ -6,13 +6,13 @@ + + + +- ++ + + + + + +- /etc/sudoers ++ ^/etc/sudoers(\.d/.*)?$ + ^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$ + 1 + +diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +index 42c6e28f9e6..eebb96678f1 100644 +--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +@@ -50,16 +50,4 @@ ocil: |- +
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
+ The output should be: +
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number. +- +-template: +- name: sudo_defaults_option +- vars: +- option: timestamp_timeout +- variable_name: "var_sudo_timestamp_timeout" +- # optional minus char added so remediation can detect properly if item is already configured +- option_regex_suffix: '=[-]?\w+\b' +- backends: +- # Template is not able to accomodate this particular check. +- # It needs to check for an integer greater than or equal to zero +- oval: "off" +- ++ If results are returned from more than one file location, this is a finding. +diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh +new file mode 100644 +index 00000000000..a258d6632b5 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++ ++if grep -q 'timestamp_timeout' /etc/sudoers; then ++ sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers ++else ++ echo "Defaults timestamp_timeout=3" >> /etc/sudoers ++fi ++ ++echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf diff --git a/SOURCES/scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch b/SOURCES/scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch new file mode 100644 index 0000000..89430f7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch @@ -0,0 +1,131 @@ +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +index 912c783650a..9a829ac5119 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +@@ -47,7 +47,7 @@ ocil_clause: 'that is not the case' + ocil: |- + To check the value for maximum consecutive repeating characters, run the following command: +
$ grep maxclassrepeat /etc/security/pwquality.conf
+- For DoD systems, the output should show maxclassrepeat=4. ++ For DoD systems, the output should show maxclassrepeat=4 or less but greater than zero. + + platform: pam + +@@ -56,3 +56,4 @@ template: + vars: + variable: maxclassrepeat + operation: less than or equal ++ zero_comparison_operation: greater than +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..5d91559d4a2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then ++ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf ++else ++ echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf ++fi ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh +new file mode 100644 +index 00000000000..4bd8070eb7e +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then ++ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf ++else ++ echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf ++fi ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh +new file mode 100644 +index 00000000000..61538a4945f +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then ++ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf ++else ++ echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..2218250ec7b +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then ++ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf ++else ++ echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf ++fi ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh +new file mode 100644 +index 00000000000..780873c6a86 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then ++ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf ++else ++ echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf ++fi ++ +diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template +index 332a2800317..b995db11ea4 100644 +--- a/shared/templates/accounts_password/oval.template ++++ b/shared/templates/accounts_password/oval.template +@@ -7,11 +7,14 @@ + + + +- + + ++ {{%- if ZERO_COMPARISON_OPERATION %}} ++ ++ {{%- endif %}} + + + +@@ -24,5 +27,11 @@ + + + ++ {{%- if ZERO_COMPARISON_OPERATION %}} ++ ++ 0 ++ ++ {{%- endif %}} ++ + + +diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py +index 65c25ec7991..ab849d1fa72 100644 +--- a/shared/templates/accounts_password/template.py ++++ b/shared/templates/accounts_password/template.py +@@ -1,4 +1,7 @@ ++from ssg.utils import parse_template_boolean_value ++ + def preprocess(data, lang): + if lang == "oval": + data["sign"] = "-?" if data["variable"].endswith("credit") else "" ++ data["zero_comparison_operation"] = data.get("zero_comparison_operation", None) + return data diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 14af195..fa75cc6 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -7,7 +7,7 @@ Name: scap-security-guide Version: 0.1.57 -Release: 4%{?dist} +Release: 6%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base @@ -93,6 +93,14 @@ Patch73: scap-security-guide-0.1.59-fix_auditd_overflow_action.patch Patch74: scap-security-guide-0.1.59-rhel_selinux_doc-PR_7724.patch Patch75: scap-security-guide-0.1.59-sshd_priv_keys_600-PR_7742.patch Patch76: scap-security-guide-0.1.59-stig_v3_r5_update-PR_7804.patch +Patch77: scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch +Patch78: scap-security-guide-0.1.61-update_RHEL_07_STIG-PR_8140.patch +Patch79: scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch +Patch80: scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch +Patch81: scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch +Patch82: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch +Patch83: scap-security-guide-0.1.61-update_RHEL7_STIG-PR_8225.patch +Patch84: add-include-remediation-back-to-sudo_require_reauthentication.patch BuildArch: noarch @@ -195,6 +203,12 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{_builddir}/%{name}-%{versio %endif %changelog +* Fri Feb 25 2022 Gabriel Becker - 0.1.57-6 +- Fix bash remediation of sudo_require_reauthentication (RHBZ#2049532) + +* Thu Feb 17 2022 Gabriel Becker - 0.1.57-5 +- Update RHEL7 DISA STIG profile to v3r6 (RHBZ#2049532) + * Tue Nov 02 2021 Gabriel Becker - 0.1.57-4 - Update RHEL7 DISA STIG profile to v3r5 (RHBZ#1996678)